Go to top of page

Watch out for CryptoLocker ransomware

Priority Level: 
8 November 2013

Reports of a type of ransomware called CryptoLocker (also known as ‘Crilock’) have been increasing in recent months.

Ransomware is a type of malware used to extort money from victims by preventing access to their computer or files.

CryptoLocker is spread by a variety of means, primarily as an attachment in fake email messages such as tax refund notifications, but also via a number of other less conspicuous methods.

Unfortunately with CryptoLocker, many victims do not realise they have been infected until irreparable damage has been done to files.

As with any malware your best defence is prevention, including having a fully up-to-date computer and not opening suspicious emails.

About CryptoLocker

CryptoLocker is a particularly malicious type of ransomware—malicious software which once installed on your computer, encrypts (locks) all of the important files you might have—documents, photos, videos, music.

It then presents a pop up window featuring a countdown clock, asserting that you have 72 hours to pay a ransom (approx. US$300) to prevent the encryption key from being destroyed, rendering the data unrecoverable.

Unlike some previous ransomware campaigns we have seen recently (such as police ransomware) which only blocked access to your computer CryptoLocker actually encrypts the files on your computer. Unfortunately, with CryptoLocker, without the encryption key, it is impossible to regain access to your files.

CryptoLocker currently affects Windows systems including Windows 7, XP and Vista.

Some versions of CryptoLocker also claim to offer an additional ‘second chance’ payment option (at a much higher price) for victims who do not pay the ransom in time. This is intended to target those who might have run out of time trying to pay and those whose security software may have removed the CryptoLocker malware after it was installed—leaving all their the files behind still encrypted.

CryptoLocker ransomware also attempts to find and encrypt files on storage accessible to the infected computer, such as USB devices, networked drives, servers and even some cloud storage services. This means that many common back up methods you could use to recover files affected by CryptoLocker, could also be encrypted.

How is CryptoLocker spread?

The primary method by which CryptoLocker is spread is email. A wide variety of phishing emails have been associated with CryptoLocker, including fake tax refund notifications. These carry the malware as an attachment—often a .zip file.

CryptoLocker can, however, also be invisibly downloaded to your system if it has been previously infected by other malware. Computers can remain infected for long periods with this malware which displays no symptoms to the user, but which allow an attacker to remotely control your system. These computers are known as Zombies or Bots.

There are thousands of computers across the world and in Australia known to be infected by this kind of dormant malware. These vast networks of infected computers are known as Botnets. When a profitable new malware such as CryptoLocker becomes available, attackers can load it on to these computers without needing to re-infect them.

In addition to the PCs in a botnet being vulnerable to a new malware like CryptoLocker, botnets can be used as a collective resource by scammers to carry out a variety of other malicious activity such as sending spam, attacking other computers and websites, or downloading more malware.

Avoiding CryptoLocker malware

Prevention (i.e. avoiding infection in the first place) is the best antidote to CryptoLocker—as well as other malware. Use of spam filters and being cautious when opening emails, and especially attachments, is critical.

The ways you may be infected by these types of malware quickly become complex, but the same common sense applies to avoiding these threats, as to any malware. If you continue to do these things, you should remain safe.

  • Do not open suspicious (or frivolous) emails and attachments or links.
  • Make sure you are using a reputable security product.
  • Make sure it is up to date and switched on.
  • Make sure your operating system and applications are up to date and fully patched.
  • Run a full scan of your computer—regularly.
  • Set and use strong and unique passwords.
  • Set passwords on all your hardware devices (modems and routers).
  • Back up your data.
  • Only visit reputable websites and services online.

There are also products available that can identify and remove this malware, and scanning your computer with up-to-date security software should identify any infections. The major problem with CryptoLocker is that once your computer has become infected, the only way to recover your files is from a clean backup (if it hasn’t also been encrypted) or by receiving the encryption key from the scammers. Responding to extortion is not encouraged.

More information

Security blogger Brian Krebs provides some useful analysis of CryptoLocker, and also suggests some tools which individuals and small businesses might consider to specifically identify and prevent CryptoLocker.

Security vendor Sophos provides some useful detail about CryptoLocker and how you can prevent it, and suggestions to clean it up. It also includes a video demonstration of CryptoLocker.

Stay Smart Online’s tips for avoiding scams and hoaxes.

The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.


Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.


This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.

This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.

The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.

Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.

Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.