Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Cryptolocker Infections on the Rise; US-CERT Issues Warning

The Cryptolocker (also known as Crilock) ransomware attacks are showing no signs of slowing down with one anti-malware company counting more than 10,000 infections in the United States alone.

The Cryptolocker (also known as Crilock) ransomware attacks are showing no signs of slowing down with one anti-malware company counting more than 10,000 infections in the United States alone.

The malware, which encrypts files on infected machines and demands a ransom for decryption, has been spammed to “tens of millions” of computer users in the U.K., prompting a warning from the National Crime Agency to be on the alert for this virulent threat.

According to Bitdefender, about 12,000 infected hosts tried connecting to domains associated with Cryptolocker during a one-week period at the end of October.

By early November, the malware had infected about 34,000 machines, predominantly in English-speaking countries, according to Microsoft.

“During that period, 12016 infected hosts tried to contact the sinkholed domains; the majority of connection attempts came from US-based IP addresses. in fact, judging by the distribution of infected hosts and the payment methods available, it would seem that only systems in the US are targeted, with the rest being collateral damage,” Bitdefender said in a blog post.

The U.S. Computer Emergency Response Team (US-CERT) notes that Cryptolocker is spreading fast through fake e-mails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices.

“In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground,” US-CERT warned.

Once a machine becomes infected, Cryptolocker finds and encrypts files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.

If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach. Victim files are encrypted using asymmetric encryption, according to an advisory from US-CERT.

The attackers are retrieving payments through third-party payment systems like Bitcoin and MoneyPak but some infected users are claiming they paid the attackers and never received a decryption key.

US-CERT is encouraging computer users and administrators experiencing a ransomware infection to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

The following mitigation guidance is available for users dealing with a Cryptolocker infection:

– Immediately disconnect the infected system from wireless or wired networks. This may prevent the malware from further encrypting any more files on the network.

– Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware.

– If possible, change all online account passwords and network passwords after removing the system from the network. Change all system passwords once the malware is removed from the system.

– Backup your data. According to Microsoft, the best defense against your data being encrypted by CryptoLocker/Crilock is to have a backup of your files.


*Updated with additional data and mitigation advice from Microsoft

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.