Cryptolocker Virus


Technicians at Systech recently uncovered a particularly destructive virus that has the potential to corrupt vast amounts of company data.

The virus is named Cryptolocker. When it????????s installed, it scans the local drives and network drives attached to the computer it is installed on and uses RSA-2048 encryption to essentially ???????lock??????? your files from being used. At this point in time, there is absolutely no way to unlock the files once they have been locked, unless the $300 that is requested by the Virus be paid. Reports have shown that once paid, the virus will begin unlocking the files, but there is ultimately no guarantee for that.

Cryptolocker????????s Encryption

Cryptolocker uses Public Key Encryption, which is a method of using two key codes of unlocking the data that is encrypted. If you can imagine, each file that is locked on the computer is stored in its own little vault. These particular vaults, however, require two keys to unlock. What Cryptolocker does is store one of the keys on the computer, and the other on a remote server that can only be accessed by the virus. Once the payment is processed, the virus will use both keys and unlock your data.

How Cryptolocker Infects a Computer

Cryptolocker is  spread by one of two ways: infected email attachments or infected websites. The virus then checks your computers for a vulnerability to begin running the software. The virus can also masquerade itself to appear as a harmless program, such as a video player or other browser extension.


At this point, when the files on the computer become encrypted, there is no other way to unlock them other than paying the fee indicated by the virus. At the time of this writing, the fee is $300 with a payment window of 72 hours. This has gone up from $100 in the last month so it can change without warning.  Once the 72 hour count down has ended, the private key is destroyed and the data is lost. When payment is processed, destruction of the private key is delayed up to 48 hours until payment has been received by Cryptolocker.

It is vital that version-based backups are taken on a regular basis. With backups available, Systech can restore the file affected by the encryption in the event the file cannot be decrypted once the $300 ransom has been paid.

How to Protect Yourself

Once the Cryptolocker screen displays itself, the damage has already been done. Always make sure you have good backups in case files need to be restored. To protect yourself, be aware of suspicious websites or email attachments. If you are unfamiliar with the website, or the sender, it would always be in best interest to walk away.

Technical Data

Below is a list of file extensions that are affected by Cryptolocker. Most notably are Word, Excel, Images, and PDFs;

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c