Cryptolocker: The evolution of extortion

Cryptolocker, the latest ransomware, may be newsworthy, but it's been hyped, too, says expert

The Cryptolocker Trojan is an evolution of "ransomware," not a revolutionary change from past criminal attempts to extort money from PC owners, a security expert said today.

And the recent media blitz about the ransomware has elements of exaggeration about it.

"There is a bit of hype," said John Shier, a senior security advisor for U.K.-based Sophos, in an interview today. "Actually, it's only the latest incarnation of ransomware."

Ransomware is a category of malware that, once on a system, encrypts files and then tries to convince users to pay to decrypt them so they can again be opened. The crimeware has been in active circulation since at least 2005, with traces harking back as far as 1989.

But reports of Cryptolocker, which first appeared earlier this year, have been more prominent and persistent than any of its predecessors.

Why is that?

"It's taken lessons [from those ancestors] of how to do things better," said Shier, who repeatedly argued that Cryptolocker was not revolutionary, but evolutionary in its tactics and techniques. "It's not the first to use a public key," Shier cited as an example. Public-key cryptography relies on a pair of digital keys, one public, which is stored on the victimized PC, the other private, which is not. Instead, Cryptolocker ships that private key to the cyber-criminals, who hold it until payment is received.

Cryptolocker is newsworthy for several reasons, said Shier, who ticked off the near-impossibility of cracking the encryption; the fact that each compromised PC generates its own public-key pair, so acquiring one private key doesn't help others whose machines have been infected; the encryption of not only local files, but also those on accessible networks; targeting valuable user-made content, not the operating system; and its high ransom price, which can reach into four figures.

The Swansea, Mass. Police Department, for instance, paid $650 for a pair of Bitcoins to get its files back after a PC was infected with Cryptolocker, according to a report by the Herald News of Fall River, Mass. Both Swansea and Fall River are in southeast Massachusetts.

At Tuesday's exchange rate, the Swansea Police Departments two Bitcoins would cost more than $1,300.

Sophos, however, has seen very few Cryptolocker-infected PCs among those it protects. According to Shier, of the 16 million covered by Sophos' security software, it's counted fewer than 300 infections.

Shier offered a caveat, however. "It's not that big of a deal in businesses [which is Sophos' forte] because they have other defenses in place," he said, including robust spam filters, attachment blocking and multiple layers of security. "For consumers, it would be a little worse, I think, since many don't have those kinds of tools."

Shier sympathized with those whose files been encrypted by Cryptolocker, and although he stuck to the universal advice of all security experts to not pay the ransom -- something that increases their return on investment and so encourages them to continue -- said he understood why some may feel it's the only, or at least the least onerous, solution.

Sans backups, users facing Cryptolocker are essentially out of luck, he acknowledged. While the malware itself can be relatively easily scrubbed from the system, the already-encrypted files will remain encrypted.

One piece of advice, however, might help those who see the demand in the future. "Unplug the computer immediately," Shier said, pointing out that on a desktop PC, quick action may limit the damage because it takes time for the malware to encrypt every file it's targeted.

Sadly, Cryptolocker and its ilk won't go away until there's no profit to be made. "I don't see any evidence that [ransomware] won't continue," Shier said. "It's all about the monetization. As long as there's enough profit margin enough, they'll keep doing it."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingsophossecurityMalware and Vulnerabilities

More about AppleGoogleMicrosoftNewsSophosTopicTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts