CryptoLocker took heavy toll on UK users, decryption figures show

PDFs the most popular decryption request

Dutch security firm Fox-It has received 546 requests to decrypt files from UK-based victims of the CryptoLocker ransom Trojan since it launched a free unlock service last month, the highest proportion from any country.

In early August Fox-It along with US security firm FireEye set up the DecryptoLocker website in early August, since when they have received 1,933 decryption requests from victims in the US, 546 form the US, 159 from Canada, 96 from Australia, 93 from India, and 53 from France.

Fourteen other countries accounted for a further 161 requests, including nine from Russia, believed to be the homeland of CryptoLocker's creators.

The total of around 2,900 sounds surprisingly modest given that CryptoLocker probably infected at least 625,000 computers between September 2013 and its dissolution during Operation Tovar in late May 2014.

It could be that many victims have moved on, writing off their files for good or reinstating them from backups. A small percentage will have paid the ransom or simply not heard of the decryption service.

What it does suggest is that the UK was a hotspot for CryptoLocker, as Fox-It acknowledges.

"An interesting fact is that in the UK, relatively more victims have requested their keys than in the US - more than in all other large countries to be precise. Only some very small countries with a handful of infections showed greater ratios, which can be attributed to too low statistical sample sizes," said Fox-IT's Joost Bijl.

Almost a quarter of the decryption requests had been for PDF files, a fraction above the number wanting to get back Office .doc files. Excel .xls files accounted for 15 percent, with docx on 13 percent and .jpg on 9.5 percent. This hints that the majority of the victims seeking keys have probably been business users.

The DecryptoLocker site remains up and running for anyone still wanting to retrieve individual files or for a whole system using a supplied utility.

The bad news is that there is still no equivalent for CryptoLocker's successors such as CryptoWall.

"The most asked question was from victims of other ransomware: will we be able to provide a solution for CryptoWall, Synolocker, CryptoLocker V2 or others? Unfortunately we don't offer decryption keys for these ransomwares. It is unlikely we will provide something for that anytime soon. "

It is possible that this could change. The best advice to anyone who becomes infected is not to pay the ransom - no key will be sent anyway - and to hang on to the encrypted files in the meantime.

UK authorities still have no idea about the number of UK-based victims of CryptoLocker, or any of the other ransom Trojans for that matter. Earlier this year, researchers at the University of Kent put the probable number in the tens of thousands after analysing a questionaire.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechsecurityFireEye

More about ExcelFireEye

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E. Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts