BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Cryptolocker Thieves Likely Making 'Millions' As Bitcoin Breaks $1,000

This article is more than 10 years old.

It was mid-October when a new form of malware quietly found its way onto one of the computers of a small business in England, threatened to permanently encrypt most of its files, and then did just that.

IT administrator David* had never heard of Cryptolocker, and was nonplussed when he got into the office that morning and saw a strange pop-up with a timer that was counting down.

It told him that thousands of his company’s files had been encrypted, and that he had to pay a $300 ransom to get the decryption key to save them or else they'd remain locked forever.

He had no backups, but he also gave no thought to paying up.

David and his company were one of the early victims of Cryptolocker, a type of malware also known as ransomware that has spread via e-mail across thousands of computers in the U.K. and forced people to literally put a value on their data.

Ransomware has been around for years, but Cryptolocker is unusually widespread and uses a higher, commercial-grade form of RSA encryption. Today Cryptolocker is making its way into the United States and collecting much higher ransoms in Bitcoin, the virtual currency which broke through $1,000 for the first time on Wednesday. In many cases it’s now asking for 2 Bitcoin as ransom, or more than $2,000.

“I couldn't understand how the trojan got in and why the antivirus didn't stop it,” David says. When he checked his antivirus logs afterwards, he could see when the malware had entered, but there had been no quarantining action and it was left to spread.

In the end, Cryptolocker did exactly as it threatened, leaving everything encrypted and the key deleted. The files were not not vital and the company could afford to lose them, but it was “a bit of a blow to my pride,” David says. "I didn't even think about the payment method because I felt so angry that criminals would benefit from that." He ended up getting rid of the malware by rolling Windows XP to a previous restore point to eliminate the malware, which of course didn't restore the encrypted files.

None of his colleagues would own up to opening the fake, e-mailed attachment that let the malware run loose. Cryptolocker has been spreading via what looks like legitimate business e-mails, fake FedEx and UPS tracking notices, or phony correspondence from banks and other financial institutions. The emails are targeting small businesses, and the malware goes after Windows files (70 different ones) such as PowerPoint and Excel files. If files are shared on a network, the malware can spread to other machines too, or USB thumb drives connected to the infected computer. The malware that infected David's company was confined to one PC because it was not networked, and took out .doc, .xls, .pdf and .mdb files.

Security writer Brian Krebs has called it a “diabolical twist on an old scam.” It’s a classic phishing attack, except the malware is sophisticated in getting past antivirus programs, infecting computers via several surreptitious steps: after victims get the first spam email, the attachment that a victim opens downloads a separate application, which downloads malware that finally downloads Cryptolocker, according to Uttang Dawda of security software firm FireEye, who has been studying the malware over the last month.

Dawda says that tens of thousands computers have been affected and that the perpetrators, who appear to be in Russia based on domain name tracing, are likely bringing in millions of dollars in ransom payments. Their costs won’t be high assuming they have rented a botnet, a network of hundreds or thousands infected zombie computers, to spam e-mail addresses with dubious links. Mass spamming means they’ve already hit some unwise targets: last week a police department in Massachusetts admitted to paying a ransom to Cryptolocker in Bitcoin.

Bitcoin is key to Cryptolocker’s continuation — the currency is anonymized and means ransom payments can’t be traced — but it was also a problem for Cryptolocker at first. According to Krebs, initial victims of Cryptolocker like David were willing to pay the ransom but couldn’t because they didn’t know how to make payments through Bitcoin or Moneypak, which was another form of accepted payment.

Earlier this month, the perpetrators changed tack, giving victims a second chance to pay the ransom. The very first ransom demands started at $100, then rose to $300, and are now typically at 2 Bitcoin (roughly $2,000 today). The second-chance ransom rises five fold to 10 Bitcoin. The controllers even set up a customer service feature on Tor, where victims can more easily pay up. The strange, user-friendly site on the anonymized network says that "customers" simply need to upload one of their encrypted files to get an order number, to then “purchase private key and decrypter for files.”

Looking forward, the Cryptolocker thieves would have to do some major revamping if they wanted the malware to spread to mobile devices, says FireEye's Uttang, but it’s within the realms of possibility as the malware continues to spread geographically.

Meanwhile the value of Bitcoin has more than tripled since mid-September, when Cryptolocker was first detected, reaching an all-time high of $1,070 on Wednesday.  That means the perps behind Cryptolocker will see the value of their collected ransoms get a boost too.

Victims are clearly in a dilemma, since paying the ransom only enables the thieves to go after more victims. "The best solution would to be not get infected,” says Uttang. “You need to educate users not to infect themselves. It’s not a security update but user education.” The takeaway advice from Uttang (and our own IT administrators) is to make regular backups of all key files, be careful about opening email attachments, particularly from unknown senders, and don’t follow unsolicited web links.

*Name has been changed.