How to Prevent and Mitigate Cryptolocker Ransomware


CryptolockerA huge threat is spreading throughout the Internet; a ransomware that can encrypt your hard drive plus personal or business files such as images, documents, and spreadsheets stored in your computer. When these files are encrypted you can’t open them. It’s important to know that there are ways to prevent this, and mitigate the damage if your computer is already infected.


Cryptolocker uses social engineering to attack your computer. The infection is usually spread through an attachment to a phishing message that’s disguised as a business or customer-support related email from businesses like FedEx, UPS, Xerox, prominent banks, or others.

The email contains a zip attachment that infects your computer immediately after opening it. The zip file contains executables that appear to be PDF files with a PDF icon. With Window’s hidden extensions feature, it’s simple for the attacker to add “.pdf” to the end of the file. The cybercriminal tries to trick you into opening the email by offering tracking information, or other false important-looking messages in the email or subject line.

Cryptolocker targets the following file extensions:

.odt, .ods, .odp, .odm, .odc, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm, .xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .pdf, .eps, .ai, .indd, .cdr, .jpg, .jpe, img_.jpg, .dng, .3fr, .arw, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .cer, .crt, *.pem, .pfx, .p12, .p7b, .p7c

Once it detects a file that matches the extension, the file is encrypted using a public key, and sends a message to you demanding a ransom to decrypt the files, usually between $100 and $300. The ransom must be paid using prepaid cards or Bitcoin.

The Cryptolocker virus screen will display a timer stating that you have 4 days, or 96 hours, to pay the ransom. If the ransom isn’t paid, it will delete your encryption key, leaving your files inaccessible forever. However, once the payment has been made, the decryption will begin to take place.

How to Prevent Cryptolocker From Holding You Hostage

First, it’s important to back up all of your files, including documents, images, and spreadsheets. Find a safe place separate from your PC or network, such as a portable hard drive or cloud-based service. Running an anti-virus program can help to block compromised websites; If you already have anti-virus protection, make sure it’s up to date. Also be sure to set up a reliable firewall for email protection. However, a software restriction policy is the most effective tool to prevent a Cryptolocker infection. There are two kinds you can use— Software Restriction Policies or enhanced AppLocker Policies:

  • Software Restriction Policies

With software restriction policies, you can prevent or control the execution of specific programs through Group Policy. This means you can block executable files from running in the user-space areas that CryptoLocker uses to launch the ransomware.

  • AppLocker

AppLocker works on Windows 7 Ultimate, Windows 8 Pro, or Windows 8 Enterprise editions. If you’re using Windows XP or Windows Vista, AppLocker isn’t compatible with your operating system. With AppLocker you can block programs from running, and prevent Cryptolocker ransomware infections.

Mitigation: How to Restore Encrypted Files.

If your computer has already been infected with Cryptolocker, there are a few mitigation techniques to remember. A tool called Shadow Copies, an integral part of the System Restore feature in Windows, is used in both techniques.

  • Restore Previous Versions

In order to restore the previous version of a file, right-click the file and choose “Properties.” As long as “System Restore” or “Shadow Copies” is enabled through Group Policy, you can access the “Previous Versions” tab in the “Properties” window that contains previous versions of files you created. Choose a version that was saved on a date before the infection took place, and simply click “Copy” or “Restore.”

  • ShadowExplorer

This is a free, downloadable tool that allows you to access all of the shadow copies in your system. This is particularly helpful when Cryptolocker infects a large number of files. When you install and run ShadowExplorer, select the drive and shadow copy date/time from the menu at the top of the window. Choose the file and right-click, then select “Export.” While previous versions may not be current, it’s better than losing them altogether, or paying a ransom to obtain the recent version.

Ransomware Threats Are Ever Increasing and Changing.

The prevalence of ransomware is growing rapidly. Cryptolocker appears to be the most dangerous and harmful version to date. In most cases, ransomware does something like freezing your computer, which is ultimately fixable. Cryptolocker, on the other hand, encrypts all of your important files. It’s important to be aware of the potential harm this type ransomware can cause and be prepared to prevent and mitigate it.

It’s essential that you stay informed regarding the prevention and mitigation of ransomware and Cryptolocker.  We’ll provide updated information as we receive it, so visit our site frequently to learn how to protect your valuable data!    

IT Support Companies in Seattle

“I can’t emphasize enough how much we rely on and trust the IT professionals from Silvertip IT. Silvertip is always available when needed, whether remotely, in our office, or over the phone.  We can rely on Silvertip IT whether it’s during office hours, evening hours, or on weekends. And believe me, we needed them because before they we found Silvertip we had our share of IT issues!”

-Shimizu and Shimizu CPA
read more»