For the last month, malware known as CryptoLocker has been making its way around the web. It runs on a victim’s computer where it then encrypts user-created files on the local hard drive and any mapped network drives where the user has write access. There are at least three variants of CryptoLocker out there. The first version of CryptoLocker demanded $100 to be paid for the private key to decrypt your files. A second variant worked the same but demanded $300. A third version has been seen that does not request payment and does not provide a means to decrypt the files; it is purely malicious.
Much of the information on CryptoLocker has been curated in this thread over at Bleeping Computer.
CryptoLocker scans the computer and encrypts files based on their extension:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7cThe
According to a few people that have paid the ransom, it does successfully decrypt the files though it takes a while to do so. The best plan to prevent concerns of CryptoLocker is to have good backups in place. Another suggestion is to use Group Policy to apply a Software Restriction Policy that forbids .exe files to run under the AppData folder and sub-folders.
The software uses the Registry to store a “map” to the files it has encrypted and uses it to decrypt the files once it receives the key after the ransom is paid. If that’s the route you plan on taking, then be sure to not delete that Registry tree during an investigation.
CryptoLocker is currently spreading as an an email attachment (typically appearing to come from Fedex, UPS, etc.), as an exploit kit on compromised websites, or through Trojans pretending to be need for playing videos.