A security research team has revealed that Cryptolocker, a new form of ransomware, may have managed to infect anywhere between 200,000 to 250,000 devices and could have collected over $980,000 (£600,000, AU$1,000,000) in Bitcoins.
Dell SecureWork's counter-threat unit has examined the infection rates of the Cryptolocker malware and claims that it has been developed in either Russia or Eastern Europe. The earliest infection this year would have happened around September 5 this year. How the malware is distributed is still not clear.
Ransomware is a successful new breed of malware and virus that finds and locks away essential files on a victim's computer. The encrypted files are held locked away until the user meets the demands of payment within 72 hours – displayed ominously in the form of an on-screen timer. It targets mapped drives, Dropbox files, and all locally connected, network attached or cloud-based storage.
"Difficult to circumvent"
Unlike traditional malware and viruses, which can be removed via the use of antivirus programs, Cryptolocker cannot be removed. If a user does attempt to root out the virus there is still no way to access the files it encrypts. All decryption keys are located on one of Cryptolocker servers. Only if the user pays the ransom are the files released again.
"By using a sound implementation and following best practices, the authors of Cryptolocker have created a robust program that is difficult to circumvent," SecureWorks notes in a blog post. "Instead of using a custom, cryptographic implementation like many other malware families, Cryptolocker uses strong third-party certified cryptography offered by Microsoft's CryptoAPI."
Strangely Cryptolocker also has its own dedicated support system for people who pay their ransom but miss the deadline. There have been reports of the author of the program actively answering help question on online forums, including this thread.
SecureWorks estimates that the ransomware has infected 250,000 systems in the first 100 days of its life.