CryptoLocker ransomware intelligence report

In the beginning of September 2013, the CryptoLocker malware variant appeared in the wild, spread exclusively by the infamous P2P ZeuS (aka Gameover ZeuS) malware. CryptoLocker had a simple purpose: to act as ransomware, encrypting important files such as images and documents, and then asking the victim for money to unlock the files.

CryptoLocker warning
Image source: Ars Technica

In collaboration with FireEye, InTELL analysts at Fox-IT worked on the investigation. By the end of 2013, certain groups that were focused on online banking fraud, were moving to less risky attacks, such as ransomware, click fraud, and crypto coin mining. All of these attack types pose lower risk to the criminals compared to online banking attacks. P2P ZeuS was one of these groups.

US Law Enforcement led a joint operation from the 30th of May 2014, leading to a long term disruption of both P2P Zeus and CryptoLocker. A detailed description of the operation is available here.

CryptoLocker used AES symmetric cryptography to encrypt the files and encrypted the AES key with an RSA-2048 bit public key generated on the server side of CryptoLocker. For each infection a new RSA asymmetric key pair was generated on the CryptoLocker server. This rendered files impossible to recover for CryptoLocker victims on their own. To recover files, the malware offered victims the option to purchase the required RSA-2048 private key. The CryptoLocker authors began charging victims 100 USD in September 2013 to recover their files, and by May 2014, were charging victims 500 USD for recovery.

Not every computer infected with P2P ZeuS malware became infected with CryptoLocker. The reason for this is that CryptoLocker ran on victim machines alongside P2P ZeuS malware, which was used to commit financial fraud. In order for P2P ZeuS to be successful, a victim had to remain unaware that his/her system was compromised. Therefore, only a handful of P2P ZeuS botnets within the full P2P ZeuS network installed CryptoLocker. From September 2013 through May 2014, over half a million (545,146) infections occurred. This is much less than the amount of infections of P2P ZeuS over the same period.

Of the botnets distributing CryptoLocker, infections were mostly limited to victims located in the US, Canada, UK and Australia. These regions were most likely selected for their use of English as the primary language. This is shown in the heat map below – with over 60% of the CryptoLocker infections located in the US.


While CryptoLocker infections started in the beginning of September 2013, the largest number of infections in one month occurred during October 2013, with over 155000 systems affected worldwide. This accounts for nearly 29% of all infections between September and May 2014. After October 2013 the rates dropped, but still steadily pacing at around 50,000 infections per month.

The CryptoLocker infrastructure was separate from the P2P ZeuS infrastructure. It used a fast-flux network offered by a bulletproof hoster and a service hidden in the TOR network. These two channels were terminated on a proxy system that lead directly to the backend system, allowing victims to pay the ransom even though the fast flux network experienced various disruptions by security researchers.

The majority of victim payments to CryptoLocker were processed through Moneypak, but also a considerable amount of money was paid through the use of Bitcoins. A new Bitcoin address was created for each infection, making it harder for researchers to track and easier for CryptoLocker operators to distinguish transactions. In total, over 1400 Bitcoins (1407.24575477 BTC, around 700,000 USD in current exchange rates) were received. That is more than the 1388 BTC the malware requested, apparently some victims tried to transfer partial amounts. Unfortunately for them these lower amounts were lost for them and they added a small bonus for the criminals. A small number of early payments were received via Paysafecard and Ukash. In total, the amount of money made during the 9 month CryptoLocker operation was around 3 million USD. This accounts for the fluctuating Bitcoin exchange rate over time.

In the end, 1.3% of victims paid a CryptoLocker ransom, therefore, a large amount of victims likely permanently lost files due to this attack. Fox-IT InTELL and FireEye provide a free service to victims, to recover the private keys associated to CryptoLocker infections. This was announced on August 6 2014, in this press release. This gives CryptoLocker victims the ability to recover their files and restore the contents.

A big thank you to Kyrus tech for their tool Cryptounlocker. And finally we wish to thank Surfright for their assistance by providing encrypted files they generated using CryptoLocker.

Michael Sandee


24 thoughts on “CryptoLocker ransomware intelligence report

  1. Pingback: ste williams – CryptoLocker victims offered free key to unlock ransomed files

  2. Pingback: CryptoLocker victims offered free key to unlock ransomed files - Register - Computer Repair Guy Orange County CA

  3. Pingback: » Zainfekował cię CryptoLocker? Oto jak nie płacąc haraczu odzyskać pliki -- --

  4. Pingback: CryptoLocker – Si vous avez été infecté, voici comment déchiffrer vos fichiers « Mes idées HIGH TECH

  5. Pingback: CryptoLocker – Si vous avez été infecté, voici comment déchiffrer vos fichiers | L'actualité de la High Tech

  6. Pingback: FireEye and Fox-IT tool can help recover Crilock-encrypted files - Malware Protection Center

  7. My computer was infected on August 6, 2014. I tried to upload an encrypted file on but received the following message:

    “The file does not seem to be infected by CryptoLocker. Please submit a CryptoLocker infected file.”

    Any ideas on what is happening here?

  8. Pingback: Cryptolocker personal secrets discovered

  9. Pingback: 'Your Money or Your Files' as Threat of Online Stickups Grows | News Feed

  10. Pingback: CryptoLocker – Si vous avez été infecté, voici comment déchiffrer vos fichiers | vienergie

  11. Pingback: Recovering Your Files from CryptoLocker Free Tool from FireEye | configmgr

  12. Pingback: Update on DecryptCryptoLocker | Fox-IT International blog

  13. Pingback: Update on DecryptCryptoLocker | e-Shielder Security

  14. Thanks for the article and the link. Using Vista in the USA I attempted to upload to the link. Numerous attempts over the last two weeks have been unsuccessful. Is the site down? …overloaded? I have the ransomware Cryptowall. Thanks for your followup.

  15. im getting “The file does not seem to be infected by CryptoLocker. Please submit a CryptoLocker infected file.” please help

  16. Pingback: Everything you should know about CryptLocker from the security experts and FireEye - Yourisd LLC

  17. Pingback: Free Crypto Coins Blackhat | Secret Internet Marketing Blog

  18. Pingback: Your data has been taken hostage! | Count Upon Security

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s