CryptoLocker Is The Nastiest Malware Ever & Here’s What You Can Do

Ransomware is an especially odious type of malware. The way it works is simple. Your computer will be infected with some malicious software. That software then renders your computer entirely unusable, sometimes purporting to be from local law enforcement and accusing you of committing a computer crime or viewing explicit pictures of children. It then demands monetary payment, either in the form of a ransom or a ‘fine’ before access to your computer is returned.

Horrible, isn’t it? Well, get ready to meet CryptoLocker; the evil patriarch of the Ransomware family.

What Is CryptoLocker

CryptoLocker is a piece of malware targeting computers running the Microsoft Windows operating system. It is typically spread as an email attachment, often purporting to be from a legitimate source (including Intuit and Companies House). Some say it is also being spread through the ZeuS botnet.

Once installed on your computer, it systematically encrypts all documents that are stored on your local computer, as well as ones that are stored on mapped network drives and mounted removable storage.

cryptolocker example   CryptoLocker Is The Nastiest Malware Ever & Heres What You Can Do

The encryption used is strong, 2048 bit RSA, with the decryption key for your files being stored on a remote server. The odds of you being able to break this encryption is almost nonexistent. If you want to get your files back, CryptoLocker asks for you to fork over some cash; either two bitcoins (At the time of writing, worth almost USD $380) or $300 in either MonkeyPak or Ukash prepaid cards. If you don’t pay within three days, the decryption key is deleted and you lose access to your files forever.

I spoke to popular security expert and blogger Javvad Malik; this is what he had to say about CryptoLocker.

Ransomware such as CryptoLocker is not something very new – variations of Ransomware have been around for years. When you look at CryptoLocker, it predominantly comes in via phishing emails (from what I’ve seen). The best way to protect against it is for users to be vigilant against clicking on links within emails. Currently, it looks like there’s not much that can be done once infected and I wouldn’t advice anyone to pay the ransom. It goes back to having backups and data management in place.

Mitigating Against It

Reports suggest that some security programs have had a hard time of preventing CryptoLocker from getting its claws onto your system before it’s too late. Fortunately, American security expert Nick Shaw has created a handy piece of software called CryptoPrevent (free) . This applies a number of settings to your installation of Windows that prevents CryptoLocker from ever executing and has been proven to work in Windows XP and Windows 7 environments.

It’s also worth making sure that you check emails to see if they’re suspect before you open up any email attachments. Do they have an email address that matches up with the purported sender? Were you expecting any correspondence from them? Is the spelling and grammar consistent with what you’d expect from the genuine sender? These are all reasons to be suspicious of an email and to think twice about poking in any attachments.

Having Proper Backup

In these circumstances, I’d encourage everyone to make regular backups that are isolated from your computer. Using a networked backup solution will be utterly ineffective, as CryptoLocker has been known to encrypt data stored on these volumes.

cryptolocker backup   CryptoLocker Is The Nastiest Malware Ever & Heres What You Can Do

If you use a cloud backup service like Carbonite, you can take comfort in knowing the odds are good that your files are versioned. That means if you back up an encrypted copy of a file you care about, you can revert to an earlier version. An employee of Carbonite posted this advice on Reddit.

I work for Carbonite on the operations team, and I can confirm this for most cases – I will also offer these two pieces of advice:

1) If you are affected by the virus, you should disable or uninstall Carbonite as soon as possible. If you stop backing up the files, it’s more likely that Carbonite will not have overwritten a “last known good” backup set. There is a high risk of some recent data loss (you’re effectively going back in time, so if we have no record of the file existing at a previous time, you won’t get it back) with this method, but it’s far, far better than losing all of your files.

2) When you call customer support, which you should do as soon as possible, specifically mention that you are infected with cryptolocker. It was mentioned in the post above, but I just wanted to put emphasis on it because it’ll get you through the queue faster.

Edit: also, just to state the obvious, make doubly sure the infection is off your machine before you call support, please.

Should You Pay The Ransom?

What if your computer gets compromised? It goes without saying that brute forcing a file encrypted with 2048 bit encryption is almost impossible. Noted computer security firm Sophos has looked at a number of files that have been encrypted by this particular malware and has failed to notice any obvious means in which they can be decrypted without forking over a ransom.

With that in mind, the only way to get your data back is by paying the ransom. However, this poses a major ethical dilemma. By paying the ransom, you make this type of chicanery profitable and therefore perpetuate it. However, if you don’t pay the ransom, you forever lose access to everything you’ve been working on which is stored on your computer.

What further complicates things is that it is impossible to ascertain who would be the recipient of any money paid. It may something so simple as a single person working from his bedroom looking to get rich at the expense at others, or it might be something much more sinister.


I’ll leave the floor to you, the reader. Would you pay the ransom? Have you been infected with CryptoLocker? Leave your thoughts in the comments box below.

Image Credits: jm3 acampos

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.


Scott H

Watch this then you will realize there no way you protect yourself once the quantum computer get in to public hands but this is a must watch it’s a good doc it a must watch

Matthew H

Interesting! I’ll check that out! The University of Waterloo in Ontario has done some pretty interesting research on quantum computers too. Would be pretty excited to see what they’re working on.


My question is related to the article not it’s subject. But what’s going on with your formatting, see lines copied from the email I received. And this happens often.

CryptoLocker Is The Nastiest Malware Ever & Hereâ??s What You Can Do

the form of a ransom or a â??fineâ?? before access to

Horrible, isnâ??t it? Well, get ready to meet

If you donâ??t pay within three

onto your system before itâ??s too

Itâ??s also worth making sure that you

see if theyâ??re suspect before

consistent with what youâ??d

circumstances, Iâ??d encourage

However, if you donâ??t pay the ransom

everything youâ??ve been working

Iâ??ll leave the floor to you, the reader.


is it possible to that virus encrypt my acronis backup, wich i saved in my HDD?
(tib file)

Scott M

I’m assuming things like Dropbox and Skydrive would be equally affected? I don’t think they have versioning, do they?

Matthew H

Dropbox does, and you can revert to an earlier version from the browser. I don’t know much about SkyDrive, however.

Lawrence Abrams

Any drive letter on an infected computer will be scanned by CryptoLocker for matching file types and encrypted. UNC network shares are left alone. Therefore, if dropbox or skydrive are mapped to a drive letter then the infection WILL attempt to encrypt it. Dropbox allows you to restore your files to a previous date before they were infected, so you will be in good shape there.

Steve Rathbun

Hey,Brian-I noticed that same thing on todays article. I’ve never seen that before.Recon what it is?

Vincent Lee

Dropbox will be affected. We used this as a replication backup solution for our files and the files were corrupted. The best thing is to do a full backup using something Evault and store it offsite.

Tom W

The most important things on my pc are code files, which are stored on an external server using subversion. I need a better backup for my emails though.

Matthew H

If your server is accessible as a mounted network drive, then odds are good that your code can be compromised with CryptoLocker. Likewise if you’ve got it mounted as removable storage. Otherwise, I think you’re fine!

Tom W

It’s an external server, a Memset Miniserver hosted in their datacentre. The only link my computer has to it is the Repos I have set up.


Nope, because I use Chromebook ;)

Matthew H

Good shout. :)

Matthew H

That’s a good call! Although, if you share a network share with a windows computer infected with CryptoLocker, you still wouldn’t be able to access the files stored on the share. :(


I would suggest that sensitive data should be encrypted and backed up on cloud storage. Use truecrypt in combination with spideroak (they have zero-knowledge policy) for example. Everything else is easy to revert (OS, programs etc) if something like this should happen.

Matthew H

Sage advice! Thanks for your comment!


what’s the benefit of ‘encrypted backup’ in this context ? your encrypted files will be re-encrypted with different key (well, 99.999…% of the case)

Matthew H

That’s assuming that CryptoLocker goes after TrueCrypt volumes! It might not do!

Jenny R

Do you know of anyone who has paid the ransom and gotten their stuff back?

Matthew H

I don’t have any first-hand knowledge of it happening, but reports from other technology websites (Register, Sophos) suggest that paying the ransom works.

However, that in itself raises a few ethical dilemmas.

I should also add one last point. If the server holding the private key goes down (it’s been known to happen), then regardless of whether you pay the ransom or not, you’ll never get your files back.


Some people were getting their stuff back, it’s why people pay up in the first place, but white hats(hackers for good) already took out the C&C(command and control) computers knocking out any ability to recover your file data. Most people were getting their files back before this, otherwise why pay up?

Lawrence Abrams

Though it is recommended that you do not pay the ransom if at all possible, paying the ransom will initiate the decryption process. As for the C2 servers being taken out, that is not true. Some of them have been blackholed for monitoring reasons, but unfortunately the rest are still live and kicking.

This is a double-edged sword. If you take them out noone else will get infected, but then there will be no way to pay the ransom and recover your files. Not an easy situation.

Vincent Lee

We paid the ransom. It was the only thing to do. The ransomeware is real. If it was a single pc, I wouldn’t be so concerned but for it affected our network shared folders and that was problematic because these are files that we need for our day to day business.

Ashley Cardwell

There have been a few reports that paying the ransom actually works. Although it can take more than two weeks for the program to start reversing its actions.

Even though I personally wouldn’t suggest paying, it is somewhat relieving to know that if you have money to dispose of, you can get your files back.

Matthew H

Exactly. I’m curious, where did you get the few weeks figure from? I didn’t come across it whilst researching this article.


Would it also affect a dual boot system Ubuntu/Windows XP?


“CryptoLocker is a piece of malware targeting computers running the Microsoft Windows operating system.”

So, if the drive is readable by Windows (e.g., it’s FAT-formatted, or ext filesystem drivers are installed, or you’re using Wubi), your Ubuntu system will be hosed if Windows is infected. Ubuntu will not be infected.

If Ubuntu is on a separate, ext4 (the default) partition, and Windows can’t read it, your Ubuntu will be safe.

Matthew H

It would effect anything on the Windows XP partition. Not on the Ubuntu one, however.

Lawrence Abrams

CryptoLocker ONLY encrypts drive letters that are returned via the GetLogicalDrives function. If your ubuntu partition is mapped as a drive letter it will be scanned for files types that CryptoLocker likes to encrypt. If its not mapped, then you have nothing to worry about.


I still use external drives to back up. I do not test the cloud

Matthew H

If your computer can mount it and address it, then Cryptolocker can effect it. I’d be interested in researching some Cryptolocker resistant backup solutions.


Since it doesn’t affect Macs I am currently immune. However, I do run the Time Machine backup software to a wireless external hard drive. I wonder if it could access it if Macs were targeted (not that I’d run a program downloaded from the Internet in the first place.)


There is one rule that has been around since the first virus was spread across the Internet a couple of decades ago. Don’t run executable programs from the Internet unless you get them directly from the source or trusted mirror sites. Sheesh! It’s like giving the Gremlins food after midnight for Pete’s sake. Just follow the rules people.

Daniel E

Update the rule to “Don’t click on a suspicious link.” I should be able to write an entire short blog post on that, which would entail checking the padlock icon for purported https sites, looking more closely at the URL, etc.

Matthew H

Exactly. Although, from what I’ve heard the social aspect of the attach is quite effective!


Those most at risk are families. The kids are now quite computer literate, but also quite computer niave/immature. They’ll happily click on these suspicious links. So the advice “don’t click on external links” doesn’t really help.

So, the question evolves to: how as the manager of the family’s machines do I protect the family and our resources (other than the obvious of keeping a virus scanner up to date)?

If the isolated backup is reconnected/connected to an infected machine during the backup process, will it not also be compromised?


@Hugh: Set up a file watcher to look at a text file at C:~0A~ (so it is first alphabetically).

Put some text in it, then never change it. Ever.

If the file watcher detects changes to it, have it eject all network drives.

Unfortunately, I only know how to do this in Linux, which is pretty useless since the virus does not affect Linux.


It CAN affect Macs. I had a client less than a week ago who had the CryptoLocker virus infect her Windows XP installation. Trouble was she was running it virtualized through Parallels Desktop on her iMac. She also had the access Mac home folder from Windows enabled in Parallels. As a result every single one of her pdf, eps, jpeg and Office documents on the Mac partition were hosed. Naturally it took out the same file types in Windows but there weren’t many of those. Most of her work was on the Mac.


What makes me wonder is how it’s possible, nowadays, to pay someone without leaving any trace of who’s the recipient.

Matthew H

Simple, really. Bitcoin is untraceable by design. Some prepaid cards like uKash are hard to track too.


Yes, my point is that we shouldn’t complain too much, if we (widely meant) allow that.

In my country it would be really hard to do something like that.
There is no way to buy anything that involves money (from prepaid cards, to mobile SIM), without providing at least some kind of identification document.

And, even though I think I’ve used something like money transfer services only once in my life, a lot of years ago, I might be wrong, but I must provide the ID also to withdraw money from this kind of channels.

And that’s good, from my point of view: this should happen everywhere in the world, but I know I’m simply dreaming :)


Bitcoin is most certainly not untraceable. It’s just hard to track, but governments have pretty much cracked the anonymity of it in multiple cases. They use the public string that everyone has access to. Make no mistake the proprietors of this are almost certainly on someone’s radar.

Marc G

Who are these people who create such destroying software? They
really don’t care about other’s belongings. I’ll be extra careful. On
my external HDD is practically my whole life, losing this would be fatal
for me. But what kind of ransom is that to demand BitCoins, Monkey Pay or
Ukash? I even don’t know what the latter two are! I’m nothing but horrified
about this!

Matthew H

MoneyPak and Ukash are a US and UK thing respectfully. If you’re in Germany (I assume you are based upon your email address), you’d be forced into using bitcoins.

With that in mind, the motivations behind the people who make this trash is obvious. It’s money. Money, money and more money.

How they can sleep at night is another question.


I had one of those dumb cryptolock deals infect my laptop. let my girl mess with it for a night and the next day it was fixed. everything was good to go with no loss of anything… now I’m wondering what all she can do on a computer.

Matthew H

Sounds like your girlfriend is rather kind indeed, as from what I’ve heard the only way to defeat CryptoLocker is to pay the ransom!


My computer at work got infected and it completely took over the shared drive so none of us can access. We ended up having to pay the ransom – takes 2 business days for payment to clear. I need to know if it affects phones – my phone has been acting weird lately and I did hook it up to my computer.

Matthew H

I’m sorry that happened. :( I don’t think it affects phones, but if you can mount your phone as external storage and you’ve got certain files on there, it’s entirely possible for it to effect your device.

How did you pay the ransom?

Justin P

This is freaking nasty. Glad I don’t work in IT anymore…

Matthew H

Me too man. Me too.

Caroline W

Indeed and It’s scary as heck

Jessica D

My aunt had this and after I tried so many things to get rid of it, the thing that worked was a system restore. It has not reappeared since.

Matthew H

I’m glad to hear about that!

Larry Clemons

I have a question for the tech types reading this. If someone used a router where the BIOS had been flashed with a Linux derivative, would the network attached storage be safe from infection?

Matthew H

if the NAS was using a file system that can be addressed by a Windows system (FAT or NTFS) and an infected computer can address it, then yes. I doubt the router would have anything to do with it.

Lawrence Abrams

Only if the NAS was mapped as a drive letter on the infected computer will CryptoLocker scan it.


I don’t negotiate with terrorist! I’d rather do a fresh install & lose everything! !!!……besides, I backup everything anyways.

Matthew H

I like your attitude! :)

Joe Perone

I am amazed that all these new articles fail to mention the two sites who have been working on this malware from the beginning. Emsisoft analyzed this way before anyone else did:

Bleeping computer has been helping everyone since early Sept here:


Everyone else is simply regurgitating everything they discovered and have been helping people with for almost two months.

Matthew H

Thanks for the links. Much appreciated. The original researchers did some incredible work in the public interest. It’s really commendable.


I suggest making your backups on DVD discs, if you can fit them. Once the session is closed it can’t be messed up.
BTW, was that UTube link a test to see who would click on it after reading the article?

Matthew H

Sage advice, although for large files I’d encourage you to use versioned, off site backups!


These criminals should be tracked down and charged to the full extent of the law (extortion is a crime)! As for would I pay, NO, and the only things I would lose would be code, but if I lose these, I always write it better when I rewrite so no real loss except the time taken to replace them!

Matthew H

Cheats never prosper, as my mum always says!


I agree with the point above.

I think U.S. Governmental Agencies should co-operate with white-hack hackers in order to physically catch hackers like the CryptoLocker gang and charge them as the extortionist ransoming malicious thieves they are.

Honestly, the hackers are making the government of the U.S. look pitifully outsmarted, meaning unless they’re caught, lots more people are going to become hackers in the coming future.


Luckily for me I do not have anything on my computer that I could not replace so I would certainly not pay any ransom demand I would simply go without a computer first.

Matthew H

For sure! If you can go without your files, you’d be well advised to reinstall your entire OS.


A viable cryptolocker-resistant network backup is to use a shared volume which is only write-accessible by a specific account. You run your backup service (and only your backup service) under this account.

Matthew H

Interesting! Thanks for the advice! Thats really helpful.


hold on a second. in simple terms, encryption is the same as converting digital information into something only you understand, kind of like making up your own language. then it should be possible to encrypt something twice. imagine some very simple encryption like just reversing the information like piece of text that said “hello world!” would turn into “!dlrow olleh” and if you then encrypt it by turning the letters into specified numbers, you would have to decrypt it twice.

so if the cryptolocker encrypted an encrypted file, that file would have been lost anyway. so encrypting your documents wont save them from cryptolocker or am i completely wrong. i just dont see how encrypting information protects them from encryption. that is unless it looks for certain filetypes of course, if it wildly encrypted everything it had access too, it could corrupt the machine and then the people behind the software would never get ransom in the first place.

point is, some people claim encrypting your files protects them from cryptolocker, but i dont see how that makes them immune from further encryption.

Matthew H

As far as I understand it, CryptoLocker looks for certain file extensions.

Lawrence Abrams

Actually what would happen is that CryptoLocker would encrypt the encrypted file. The infection does not care about what the contents of the file are. All it cares about is the extension.

If it detects a particular file extension, and the infected user has write perms, it encrypts it. Simple as that.


Merkel’s phone can be hacked but the money trail here cannot be traced?

Matthew H

Bitcoin is pretty hard to track by design. It’s entirely anonymous. It’ll be pretty hard to track the money trail, unfortunately.


Take down the server that used to store the encryption keys. Is that also impossible to do for the people hacked Merkel’s phone? And track who is maintaining it.


Really good article, Matt.

Being totally paranoid, I use VMWare to run another copy of Windows. I do all my coding on the virtual machine. (Since my virtual machine is just another file, If my virtual machine is toasted, I simply delete the corrupted file and copy a new one.) My source code is kept in a folder, on the virtual machine, encrypted by TrueCrypt. When I’m done for the day. I close the TrueCrypt volume, copy it to two external hard drives. I keep one external drive with my computer and the other elsewhere. I also, only read emails and surf from the virtual machine. I do almost nothing on the physical machine.

Matthew H

That’s a really robust strategy! You mentioned you keep an offsite backup. Where do you store it?


I wonder, USA, that has the technological power to send a virus to the computers of Iran’s nuclear centers or spy cell phones presidents, can not locate the recipient of an account MonkeyPack or Ukash? Or else …. this type of attack are NSA practices and we the guinea pigs …

Matthew H

I’m not sure! Bitcoin is pretty untraceable though. That’s a feature by design.

Jo K.

Been there done that. I elected to wipe my computer completely and not open any emails anymore in addition to banning my minor from it permanently. This one sucks!

Matthew H

It’s pretty evil, I’m not going to lie. I’m sorry you had to deal with CryptoLocker. Did you lose much?


Use Linux. :)
That, and keep a backup on a non-connected external HDD. If you have that, you can thoroughly wipe and reinstall and be none the worse for the experience/

Matthew H

Both good pieces of advice! Cheers!

Jo K.

Matthew I lost 2 years worth of data, countless pictures, files etc. Most I have backed up somewhere I think but it was very frustrating and painful. Sick thing was I stupidly stored all my passwords on a note card right on the desktop. I won’t do that again.

Cortman I don’t think Star Wars The Old Republic is compatible with Linux. And I have to have some form of relaxation after a rough day at the clinic.

Matthew H

That’s really sad. I’m sorry!

With regards to password management, have you considered looking into Lastpass?

Caroline W

‘LastPass’ – A Big Definitely for sure, 100%


You could try running windoze on virtualbox in linux.

Scott M 2

If anyone gets it and wants to get rid of it, start here:

There are some good links to other resources as well.

Matthew H

Brilliant, although this only removes the malware. It doesn’t decrypt the files that CryptoLocker gets its grubby hands on. For that, you’ll either have to revert to an earlier backup, or pay the ransom.

Hoosie Daddy

Can’t you just recover your files via a Freedom of Information Act request to the NSA?


you just gave me my first laugh of the day and it’s only 10 am
i think you’re on to something
maybe the most secure cloud solution in the world will be NSA
you’re brilliant

Matthew H

Okay, that made me laugh pretty hard.

Matthew H

Handy video. Cheers!

Scott M 2

What’s wrong Matthew H.? Can’t take that someone has a solution to the problem by deleting my previous comment? Thanks for perpetuating the myth that the ransom needs to be paid.

Matthew H

Hi Scott,

I didn’t delete your comment. I actually don’t have any control over that aspect of the site’s functionality. Some comments are manually verified, but that has nothing to do with me.

Furthermore, your original comment is available to view at the time of writing. I presume this is the one?

“If anyone gets it and wants to get rid of it, start here:
There are some good links to other resources as well.”



I had the same situation on one of my client workstations. If you have windows 7 or 8 and professional version or higher, you can hopefully exploit the volume shadow service that runs by default on those pc’s. Download the free utility Shadow Explorer at and export your lost files from a timestamp that’s before the encryption. This worked for me.

Matthew H

That’s really useful. How did you get the files off your workstation without them being encrypted?


I downloaded the ms security essentials offline version and created the bootable cd which allowed me to remove crypto locker. Then booted back into the OS and proceeded with the above.

Jeff R

Does each file get a different 2048 bit key? If not I think it would be easier to break the encryption if you know the content of one or more encrypted file? I certainly could not do it, but perhaps someone could supply such a program

Lawrence Abrams

Only the malware developers know the private key, which is stored on the C2 server.


The defense seems simple enough. Back up your computer. My NovaStor backup saves its store as a file with an extension .nbd. That is not on the list of things that get encrypted. If worried about it, you could manually change the extension of the backup file to something like .sys, which the crypto program cannot go encrypting willy-nilly and expect the computer to continue to run. Or, you can back up to external drives, and then turn them off.

Matthew H

That’s a good shout! There are a bunch of ways in which you can mitigate against this awful malware, and that’s one of them! Cheers!


Pay the ransom, and then after your files have been decrypted, call your bank and tell them there was unauthorized activity on your account. If you have a good bank, you’ll get your money back.

Then Google “sandboxie” for a way to isolate a virus so it doesn’t infect your entire system when you accidentally download it.

Matthew H

Sadly, you don’t pay the ransom with a bank transfer, but rather with bitcoin and prepaid cash transfers. Both of these methods are nigh on impossible to reverse.

I’ll look into Sandboxie. Cheers.

Michael Dowling

I’ve used Sandboxie for ages,and can’t remember the last time I got infected with anything.

Caroline W

@Ricky. Is Sandboxie a way to download and run exe – or any unknown source file – inside it so it protects your machine detecting anything unruly safely?

Thanks in advance :)


With all the liberals in the world and techie giants, who have money, no one is willing to just Jail or assonate these bastard pseudo geniuses.
End of problem !
Of course unless you’re envious/jealous of their smarts and want to perpetuate the madness, so you can stay employed?
Evil is Evil, no matter how you sugar-coat it!

C Weir

I shouldn’t feed a troll, but how on earth do you manage to bring liberals into this? I know it must be heard with a pea sized brain to contemplate this, but these criminals operate beyond borders. No single country has jurisdiction to just, off the bat, go to assassinate (see that correct spelling!) these people.

The people, when found, will face justice, and as a liberal, I would support that. But to kill them for it? A tad severe, no? But the trouble is, it’s not so easy to find these people. Blaming liberals for this and the lack of finding them, and insinuating that it’s because we are envious of their intelligence, is absolute nonsense – throw away that tin foil hat of yours!

How about you find them?! I suppose you think it’s so easy, since us liberals are to blame for inaction.

Just accept that although, as you infer, we are on average more intelligent, we still have our limits. And in addition this liberal, as I suspect most are, have just as much contempt for Cryptolocker and it’s maker(s). No-one’s endorsing it, or saying it’s a work of art and that it’s not evil – again, put that tin foil hat away, you special person you!

Larry C

If you pay there is nothing to stop them from asking for more money and more money. They will have you hooked like a sucker.

I need a backup program that will shrink most of my movies.

Caroline W

I was thinking the same thing Larry. If they have done it once and you paid, then surely they would carry on targeting you for more cash.

I’m no expert on this, but maybe it’s possible to compress your vids into zipped files? Someone else would need to verify this for you :)

Matthew H

You’re quite right. Sadly, it seems like the hold all the cards in this respect. Unless you pay up, you’re not going to get your files back.

Sture E

What if I Open mail in f.e. IPad? Will I be safe then? Cryptolock only Works in Win?

Matthew H

That’s correct. CryptoLocker only targets Windows machines, and since your iPad runs iOS, you should be safe.

With that said, it’s good practice to not open suspect attachments, regardless of what device you’re using.

Adrian B

I think my one word answer sorts it out. Linux.

Peter H

I’ve used computers since the days of mainframes and punch cards. I’ve got 30+ years as an avid pc user before anyone wanted them (afraid to lose their “creativity”). Learned programming enough to make a Dos menu, basic Basic and so on. But I’ve had no end of trouble with command line Linux. Like wipe-cleaned hds on an infected machine. Luckily there were backups from Acronis. I have no interest in going “back” to learn another program especially in view of the rapid command changes in and Disneyfication of Vista, Win 7+ as well as MS Word since 2003. It’s getting hard to be productive again without having to buy the Missing Manual to discover what things are now called and where they are because MS no longer documents their programs. I’d hate to have to teach my co-workers and friends again and tell them what they no longer know. MS is an ageist company despite their sop to accessibility.


I started out punching cards myself. But I got fully into Linux only a couple years ago and found out that there’s a lot of Windows-like GUI clickyness about it, in addition to the command line which is usually faster. Take your pick.

My granddaughters run Bodhi. It’s easier, and a LOT safer, than running Windows. There are 300 other Linux distros besides Ubuntu. I like Mint (of course, they’re both Ubuntu derivatives). Zorin might be better for those who just can’t tear themselves away from the familiarity of Windows.

Matthew H

Well, yes. Although, I’d like to see Microsoft put more effort into hardening their OS to prevent things like this happening ever again!


I’m wondering if cloud systems like Dropbox are a safe backup or if they fall into that “networked backup” category. Does anyone know?


Since Dropbox uses a copy folder on the PC, it would get encrypted, then Dropbox would update the server’s copy. Boom.


Ugh. That was what I suspected. :-(

Matthew H

An addendum to this: Dropbox has versioning, so you *might* be able to revert to an earlier version of the file if it gets compromised.

No promises though.


The only “safe” backup is to your own separate, removable HD.

Recently MUO had an article about security blogs. Please read the article and read the articles that the blogs have about the security of cloud storage. Very eye-opening and educational. Bottom line is that cloud storage is no safer than local storage, no matter what the cloud storage providers advertise.

Cloud storage is no solution because the files still can be held for ransom. Not because of malware but because of corporate policy changes, changes in corporate ownership or storage providers going out of business.

Shmuel M

I did gain from your post, but most of all I did appreciate the word “Disneyfication.” That pretty much sums up MS in a nutshell!

Peter H

My daughter’s computer was “infected” with ransomware from The CyberCrime Division of The Internet Police. This one wouldn’t even let the pc boot even in safe mode. Through googling, I found a reference to this on a site, <> which offers a free utility called HitMan.Alert2. Checked out SurfRight and seems okay (I’m always suspicious). HitMan.Alert2 boots from a USB stick/key before Windows and disables the rootkit as well as cleans out the registry keys and .dll files. It worked for us.

Subsequent checking with Malware Bytes (free but I love it and made a donation), SpyBot Search and Destroy (used it since WinDos). I also use a Mozilla add-on calls KeyScrambler from QFX.

But I have used ESET Nod32 for maybe 10 years, now on ESET Internet Security and it has saved me from a number of legitimate websites which tried to install malware. I think it is cheap and it is always in the top of a number of independent tests annually. If you install it, you’ll get a cheap annual upgrade rate. You can put it on 3 machines and it also has a Mac version. It integrates into FireFox and Flock and IE for those who like Bing (I don’t understand this trapware).

Finally, I recommended RevoUnistaller Pro which lists all the stuff running at anytime on your machine, closes boot up things you don’t need, a number of other helpful screens and it’s uninstal program not only removes the program files but all references to the program. Adobe is the worst, sometimes with thousands of references and files. I love it and pay for it.

This is just my opinion and experience from 30 years of computing and maintenance of machines (I’m not IT).

Matthew H

Woah. That’s trippy. “The CyberCrime Division of The Internet Police”

That’d be almost farcical, if it wasn’t such an irritant to good people like yourself. Did you clean up your PC in the end?

Terry Straehley

When I click on the CryptoPrevent link in this message I get a “Halt – Do you want to go there?” message from Mcafee. Is there a reason why McAfee has blacklisted that site. I’m a little concerned about downloading software from a site in that status.


Maybe your McAfee has been compromised?

Matthew H

That’s strange. By all accounts, CryptoPrevent is a legitimate product. Perhaps it’s something weird on McAfee’s end?

Chuck Aylworth

For perspective on bitcoin, Cryptolocker, MOOGland and Chinese “bit farmers” (not to mention crazy Idaho survivalist families) I highly recommend Neil Stephenson’s book “Reamde”. You won’t be sorry, if you like science fiction.

Matthew H

Funnily enough, you’re the second person in as many days to recommend that book to me. I must check it out. Cheers!

Pope Dominic

I wouldn’t pay ‘em under any circumstances. It’s precisely the same as giving ransom’s to terrorists-it encourages them.

Whatever the loss to yourself, the damage to the greater society is worse.

Don’t pay ‘em. Lose the data.


Matthew H

Agreed. The only way people will stop making ransomware is if it suddenly stopped being profitable. Then, there would be no motivation to make it!

Caroline W

Hear-Hear :)

Aaron Barwick

I know a lady who got ransomware and she used Norton Power Eraser to get rid of it.

Matthew H

Whilst it’s fairly easy to remove CryptoLocker, doing so doesn’t decrypt your files. Nasty, isn’t it?


I paid and it uncrytpted everything for a couple of hours then they infected most of my computers in my domain. Even when they say the have uninstalled the trojan once you run a program like maleware bytes it shows that you computer is infested with all kinds of bots.

Matthew H

That’s crazy. Did the other computers have mounted drives that are accessible from the originally infected machine?


I would like to see the preps tracked downed and ransomed themselves. Any ideas on how and who could do this. The solution is to forcefully take it back to the source.


The problem is that it is very hard, if not impossible to find the source. I would not be surprised if the source turned out to be a zombie PC or a whole series op them.

Ransom is no punishment. If and when apprehended, the perps should be securely staked out over a fire ant hill for a significant period of time.


Got it last Friday so it had all day Saturday to work over my files. (employee opened an email attachment) Didn’t pay. My trend-micro removed the virus overnight, but couldn’t restore files. I have read that if the virus is removed chance of restoring even if you pay for the key is substantially reduced. Backup was encrypted too. My MIS contractor was able to restore 90% of the files from a shadow copy. Still it was a big hit and I haven’t got the bill from the contractor yet. The government needs to sic the NSA on these folks.


“The government needs to sic the NSA on these folks.”

Actually, someone should sic those guys on the NSA. LOL


Thanks dragonmouth. I expect your suggestion is better. For whatever it’s worth, if you a small business and do have to hire a professional to restore your documents from a backup as I did, you should contact your insurance company and make a claim. I purchased a “valuable papers” rider with my coverage. It was less that $50 a year extra and it looks like they are going to cover the cost of paying someone to restore the backup from a shadow copy. Also, it did not encrypt anything in exchange. So if you have copies of documents that you emailed to someone using outlook and exchange you can retrieve them by going through your emails and archives. Tedious, but beats the heck out of retyping a 20 page document.

Matthew H

Damn. That’s unfortunate. How much did it end up costing you in the end?


I’m running both WebRoot and Windows Defender on my Windows 8. Hopefully, that’s enough. If ever I did get one of these bugs, I would – and this would suck for my wallet – pay for an entirely new Windows OS, wipe drive clean, then install. “It’s the only way to be sure.” – Line from Aliens II.


Keep an install DVD of Ubuntu handy. That would eliminate a recurrence, besides being free.

Matthew H

Sadly, I think it’s quite possible for Cryptolocker to bypass common antivirus products. That’s part of what makes it so nasty.


I never put anything on a computer I can’t replace. Things like photos and music I copy to a DVD immediately. I got the FBI ransomware once. Just wiped the drive, and reinstalled Windows and no worries. You can try the “safe mode with networking” and try downloading “Combofix”, I’ve heard that works. Malwarebytes is also a good one.

Matthew H

Good to know! Thanks Joe!


I would think that if you were to use common sense security measures and NOT open attachments, zip, or .exe files from unknown sources that you data would remain safe. People fall for scams of all sorts all the time, the key here is to stay frosty. I get Phishing e-mails allegedly from my bank always saying something stupid like my account has been compromised and that I need to go follow a link provided and re activate my account with new information, I assure you this does not happen ever and your bank would either contact you by snail mail or by phone and instruct you to go to your branch to do something like that. ( this way your sure it’s the bank requesting this and they are sure your you) Yet thousands of people get scammed every year into giving criminals access to their banking information. Being cautious and being weak are NOT the same thing, you are responsible to protect yourself from these predators.

Jo-anne P

I get them daily from RBC whom I don’t bank at and Paypal lol. Ya i will get right on that click click lol hardly.

Caroline W

Yeah, me too; I get all sorts of dumb emails coming in about a ‘Problem Delivery from a Parcel Service’ an ‘IRS Payment glitch’, other stupid emails from Foriegn people I’ve never heard of. And all have either links or attachments contained in them. I just click ‘Delete’ as soon as I see one. The latest one was about some ‘Administrator’ inviting me to join some Forum I have never heard of = ‘Delete’.

Egbule D

Thats a really nasty piece of virus.


Your question requires the presumption that once you pay they will actually give you the key. The other problem is presuming that if they give you a key it doesn’t leave you all nicely set up for it to reactivate for additional bribery.

Regarding the comment below about your formatting. I too have received your email with the same odd additions to several words that are not present in the online version.

Matthew H

Yeah, we’re looking into the formatting issues.

Honestly, I’d just decrypt all the files, copy them onto an external medium and rebuild your machine. Once it has been infected, you can’t vouch for its security.


My law office was infected with this virus today….we paid the ransom because we have to…they caught us between a rock and a hard place needing to access our client files. I think we are lucky that the system is currently being restored and it is actually working but what a mess! It goes without saying the time/expense my boss is paying for us to deal with all of this (employees to be here without access to our files and IT support/assistance). She may be paying for her mistake in opening something she shouldn’t have but it is too bad people create things like this to ruin other people’s work. I hope they find the creator of this…


Sorry to hear about your problem. While paying the ransom may have solved your immediate problem of access to clients’ files, what makes you sure that the problem is solved for the future? How do you know for sure that ALL the files were unencrypted and that the ransomware has been completely removed? Having found an easy target (your firm), the perps will try again and again. When was the last time you heard of a blackmailer being satisfied with only one payment? I hope your IT people are smart enough to rebuild your system from the ground up with as many precautions built in as possible instead of just restoring the files from a backup.



Would it work to set a user to read only permissions for everything but their home directory?

It doesn’t seem to affect system files, because WIndows still has to run in order to decrypt it.

Steve Rathbun

I got hit with a ransomware acouple months ago.It showed up as a very official looking page saying I’d been viewing child porn. I don’t view any porn,much less child. The end result was I’d have to pay a $300 USD fine to unlock my computer.
I did a restore to put it before the advent of this,which worked for acouple days,then one day while emailing my girlfriend,the screen went totally white. I’d never seen this before.I know what blue screen is,but never heard of one going white. Fortunately my pc was still under warranty,so I sent it in for repair. The ransomware(I suspect)had done something to my hard drive,and it had to be replaced. Fortunately it was still under warranty and didn’t cost me anything.
I have no idea how this rode in.I never open unsolicited or unknown email,and as I said never watch porn,so it must have come in thru something else. The only attachments I open are from known sources,like my brother in San Francisco,or my girl friend who travels a lot,when they send me photos. It could have somehow latched onto one of them. My bro.doesnt use a pc-sends pix to my email via his smart phone,but my girl does use a pc,so it could have come in from her.
End result was it destroyed my hard drive.Could have been very expensive if not for the warranty!
Good article,MUO.Another big score for you!

Jo-anne P

I personally would not pay the ransom and not because I am broke. I backup on a regular basis and never click attachments unless I am aware of the sender and am expecting an attachment. My sister clicks everything and it would be possible for her to be infected and send it to me.

Horrible what people will do to make money and entertain themselves.


I don’t understand why no one is talking about taking out the perpetrators. If ransom is paid, then SOMEONE somewhere is reachable… and that person should be encrypted!

Larry C

Seen lots of web pages saying my browser is outdated or media player is outdated or need some new codec, and this one which is not Java website; GmbH

Any of these could be the culprit too.

Matthew H

As I understand it, right now it’s only being distributed by email and by ZeuS. I’m not aware of it being distributed in any other method.


Our company got infected by Cryptolocker. There was no way I was going to pay the ransom. We run always on backups with Microsoft DPM and it only took 2 hours to restore approx 1TB of data to mulitple servers. Crysis averted.

Matthew H

I’m glad to hear that! Did it affect any of your network drives?


This is the easiest way to clean up your computer. Once it becomes inoperable, reinstall the OS!

Matthew H

Agreed. Once infected, you can’t really trust that machine any more.

Dave Leippe

Reinstalling the OS is not a solution, unless you wipe the drive in between. Formatting is not a solution unless you wipe the drive. Quick Formatting only marks a previous file table for deletion. Long Formatting only adds ChkDSK, that’s it.

Wipe it if you want to disinfect it.


I don’t think that anyone should give the “ethical concerns” a second thought. This is not the same dilemma as when terrorists demand a ransom from a nation state. Seriously, are you willing to sacrifice your data on some grand “policy” rationale that by giving money you theoretically increase the likelihood that a random stranger will face the same problem at some later date? The greater concern should be practical: By forking over 300 clams (or whatever that is in cyber funny money) to some creep in Russia, will your files truly be unencrypted and will the malware truly be eradicated from your machine.


You’re making a fairly big leap of faith that the same person who has no scruples about harming you (and anyone else) just for monetary gain will actually remove said malware once you hand over the cash.

That’s the same logic 419-scam victims use as they see their bank accounts emptied, dollar by dollar.


very informative/crypto prevent

Matthew H

Thank you for the kind words!


I would not pay the randsom. These people are dirt bags and there is not guarentee that you will get your files back after you pay. I run weekly backups and I am very careful about what I click on.

Matthew H

Good point. I’ll add that the only thing that is guaranteed to not return your files is doing nothing. Have good backup practices, otherwise your only option is to pay the ransom.

Shmuel M

This proves what I have always suspected; or at least since the mid-eighties. STAY AWAY FROM MICROSOFT!!!

Lawrence Abrams

This has nothing to do with Microsoft. This type of infection could easily be done on ANY operating system.

Liz G

I got encrypted…bad…infiltrated my servier, my google drive and and my dropbox that was synced.. Good news purging was not necessarily a bad thing…it made me prioritize what I needed to recover. Luckily my husband copy of what I had shared with him survived…and alot of files were originally attachments to emails so just going back and redownloading emails helpled. For me…paying the money would have alleviated an ton of the head game that Im still sorting thru….and I remember the file that my intuition screamed about.. first do all you can to prevent…but then Im open to the idea that 300 is less than the headache and tech bills potentially incurred to trying to live without your files.. Just a perspective.. All the reviews say they are unlocking files once paid… although Honest Criminal doesn’t ring right with me. RealizeU


what about data recovery tools like “Recover My Files ” ? does the virus remove the clusters that used to contain the old- non encrypted files ? did anyone try that ?

Todd H

Seriously, call the NSA. they can get past any encryption. :)


My aunt’s computer got infected with this Crypto ransomware so I did a restore, then did a restore My Documents folder. Everything looks normal and opens up fine. Looks like she got all her files working again.

Zach L

I am forever yelling at friends & family who send “fun” links without bothering to personalize the message it’s sent in. If you got an email that said, “This is my fav cat video!” with a link and nothing else (no name of the sender and not personalized with your name or any other info), would you click on that link to see the kitty? I got that email last week. Turned out it was legit, it really was her sending me her favorite cat link, but once again, I had to yell at the sender to STOP EMAILING ANONYMOUS LINKS! It’s always the same half-dozen sweet-but-annoying people doing this.


I lose stuff on Windows all the time. Sometimes, I’ll just reinstall Windows to clean up the drive.

Everything that I really need has no fewer than 3 backups, and beyond that, I don’t back up any files or programs.

I always figure if I want it bad enough, I will find a way to get it back and/or replicate it.

Zach L

Also: in addition to battling with clueless, spam-sending relatives and friends, I own a WD “My Book” 3T harddrive for super-easy backup. I back up my files and email every week or so . Which reminds me, I should do that this weekend. They’re inexpensive at approximately $100 more or less at this point.

I’m old enough that idea of my stuff being backed up in “the cloud” does not appeal to me. ;) I like having the harddrive in hand.

Lawrence Abrams

Having a connected external hard drive wont protect you against CryptoLocker. The files will still be accessible on the drive and this type of infection would just encrypt them.

Backups to external drives do not help unless the drive is not mapped as a drive letter or the files are not directly accessible with standard extension names that CryptoLocker targets.


What about sniffing the network and logging all traffic for the last 7 days. Would it be possible to capture the encryption key as it’s being sent? Why not customize a packet filter to capture and save any packets that look like encryption keys? I’m very familiar with sniffing, but unfortunately have no idea how you’d find the encryption key.

I work in IT and just had a customer call that has this infection. It’s probably too late for him, and I really hope he has a backup, as I would never encourage paying the ransom.

And thanks for the info. I’ll be looking at way to protect my customers who continue to slack on their backups.


ALL my personal files are password protected.


That seems a good idea to me! Any thoughts about this kind of protection?


Don’t think it would help. The virus doesn’t open the files, which would require the password. It just encrypts them. Think of it like this: Even if you give a file a password, you can still rename the file at a command prompt or in Explorer.


What did you use to type your article, it looks like quite a bit of gibberish between some lines of truth. Is the latest in fashion or were you just in a hurry?

Bob R

I have had experience with this virus on a company employee’s personal laptop. I had no success running my battery of tools that I possess in hopes to undo this virus. I was able to find all the registry keys, and location in the o.s., and remove everything, but you still wind up with all the data encrypted. This does not fix the problem. I had to reformat, and re-install the system as finding there was not too much value in data to be saved. I did not choose the ransom pmt. option that others may be forced to do.


Tom, nov 3 2013:
Thanks very much for your answer.
What I did was:
I write protected the files with the administrator password.
Only reading / running the file is permitted, but whenever a user tries to rename it, he is prompted to enter the administrator password.
What do you think, are these write protected files vulnerable to the virus?
Any comments would be highly appreciated!

Two other thoughts:
1. Does running as User (instead of Administrator) protect me from infection? I mean, the virus / exe does have to be installed, right? So you need administrator priviliges to be able to install it?
2. Doesn’t the Firewall (e.g. Comodo) prevent the virus from connecting to the server of the perps? Thus preventing the sending of an encryption key?

Michelle C

We just got this at our office. An employee clicked on a link or attachment in an email and wham — we lost her computer and our server. Thankfully, it did not backwards contaminate any other machines.


someone needs to find the guy who made this and beat the crap out of him


Or pick his brain… I find this whole CryptoLocker thing VERY interesting.

That Guy

Poor PC people. I used to have PC, but then I switched to Mac and have not experienced any major problems yet, if any exist. I used to download countless programs to try and fix Microsoft’s shitty software but failed every time.


could somebody please help me? this thing is cureently on my laptop and im worried my photos of my kids etc will all be deleted. im not good with computers and now i have basically 24hrs to back my files up….somebody please advise me what to do. thankyou


What if you already encrypted your files using Truecrypt or something like it?

I don’t think it would create a double encryption, would it?


Why not? There is no reason why a file cannot be double encrypted.


I want a copy of CryptoLocker to play around with…


Been trying to think of a way to be secure in the setup… Could a network drive be made inaccessible to a particular user, and then make it so that unzip (executables, some executables?) only works with that user’s credentials?

Steve B

What if you were to make backups by cloning your drive, to include OS. Then if your primary drive becomes infected, just power down, pop it out and pop in the clone. Power back up and erase/format infected drive…. (Unless crypto is able to spread to the cloned drive after power up).

Once drives are infected, can Crypto “hide” out somewhere, even if pc is powered off and the drive replaced??? So that if I did replace the infected drive with the clone, is there a possibility of the clone being infected when pc is powered ups?

Otherwise I can forsee that there may be a potential problem…knowing what caused the infection to begin with… if it resides on the backup (clone), you would sure want to identify it and delete it before accidently running it again.

This might be a plan, maybe-maybe not. I’ve used this method for a couple of years and seems to make recovery pretty painless. Just say’in.

john kabbi

increasingly ,surfing the web from a virtual machine makes more and more sense.

Michael B

I back up everything on an external HDD, it I get a virus this bad (one I can not get rid of with the tools I have), I format my PC, reinstall win, then connect the external HDD and restore my stuff. If my PC has a virus, I do not back up anything or connect my external to the PC, I have a few back-ups (different drives, 4 of them for safty) I can choose from. this may be a bit much, but some things like pics (for example) can not be replaced. you can never be safe enough.


i dont do emails ,if i never asked for it i delete it


Can’t anyway take any legal actions against the malware provider? Can’t they track him by following the cash payment path or something?


Any ‘mapped’ UNC paths are susceptible to encryption so beware of that.

Scott T

I got this nasty piece of virus last week and I was freaked out because I had been working on a proposal that was not backed up any where. I had a rollback rx installed and i was really praying and hoping it would save me because after reading online about it I was really doubting anything would get my out of this mess. So i rolled back my pc to a earlier snapshot and closed my eyes and prayed some more LOL!! it actually worked. I was able to rollback to a earlier snapshot 2 hours earlier and I was virus free and my proposal I was working on was still there! So maybe some of you may want to check out rollback rx


Ok Everyone and Matthew, lets get back to the basics. There is a great deal of information in these comments which when all added up together can become very confusing.

So now I understand if use SkyDrive linked to you hard drive you can be effected, so this is really not an answer. Protecting you files is of the most importance in any situation so we need to know the best way to do that.

Stopping the virus from getting in, in the first place would be best however that would be a perfect world. Forget it.

Also if new viruses and Trojans are developed in the future Well Then He’s Jonny I’m Home, Right?

Many non technical average users find making all these back disk a real challenge and then to keep them updated WOW more trouble.

In my personal opinion a removable flash drive out weighs all of it. True or False?

I hear a lot of controversy on clouds, This Cloud, That Cloud, This Cloud, Which dammm Cloud.

What about Norton off site Back up. Is that not safe either? Or is it? Should I Just keep my Norton running as usual and run Norton backup to retrieve my files as I have before.

Is it possible to take all the information in everyone’s comments and put it into an easy to read and to follow format. Like step 1,2,3 The Best of the Best iron clad and user friendly process.

Please all you guru’s out there should be able to come up with the most effect and easy to plan, considering the age of todays technology. No Pun intended, LMAO



Oh yeah and this easy 123 plan should be free of charge, just to help out the community Right?


So did they manage to find a solution in the end? :/