CryptoLocker is a ransomware program released in September, 2013 that currently targets Windows-based computers.

It encrypts certain files on your computer, then demands a ransom payment to decrypt the files.  It is particularly damaging because so far, no company has been able to find a way to retrieve the private key that can be used to decrypt your files without paying the ransom.

CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices.  Most business users know not to open these types of emails, but in the holiday shopping time we are all somewhat vulnerable.

While there is no 100% safe way to protect your network, the US Computer Emergency Readiness Team (US-CERT) recommends the following to help protect computer networks from a CryptoLocker infection:

  • Conduct routine backups of important files, keeping the backups stored offline.  (External hard drives could also be infected if they are attached to your computer.)
  • Maintain up-to-date anti-virus software.
  • Keep your operating system and software up-to-date with the latest patches.
  • Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
  • Use caution when opening email attachments. For more information on safely handling email attachments read Recognizing and Avoiding Email Scams (pdf), and Refer to the Security Tip Using Caution with Email Attachments.
  • Follow safe practices when browsing the web. For further reading on Safe Browsing habits, see Good Security Habits and Safeguarding Your Data.

If your computer has been infected with CryptoLocker ransomware, US-CERT suggests the following possible mitigation steps:

  • Immediately disconnect the infected system from wireless or wired networks (even though CryptoLocker will tell you to NOT disconnect). This may prevent the malware from further encrypting any more files on the network.
  • Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware.
  • If possible, change all online account passwords and network passwords after removing the system from the network. Change all system passwords once the malware is removed from the system.

Once the computer is infected, there is currently no way to recover data without paying the ransom.  Victims have reported that paying the ransom does work however, so that may be your only option if your files are not backed up somewhere else.