How to Prevent and Mitigate Cryptolocker Ransomware


October 29, 2013


A huge threat is spreading throughout the Internet; a ransomware that can encrypt your hard drive plus personal or business files such as images, documents, and spreadsheets stored in your computer. When these files are encrypted you can’t open them. It’s important to know that there are ways to prevent this, and mitigate the damage if your computer is already infected.


Cryptolocker uses social engineering to attack your computer. The infection is usually spread through an attachment to a phishing message that’s disguised as a business or customer-support related email from businesses like FedEx, UPS, Xerox, prominent banks, or others.

The email contains a zip attachment that infects your computer immediately after opening it. The zip file contains executables that appear to be PDF files with a PDF icon. With Window’s hidden extensions feature, it’s simple for the attacker to add “.pdf” to the end of the file. The cybercriminal tries to trick you into opening the email by offering tracking information, or other false important-looking messages in the email or subject line.

Cryptolocker targets the following file extensions:

.odt, .ods, .odp, .odm, .odc, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm, .xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .pdf, .eps, .ai, .indd, .cdr, .jpg, .jpe, img_.jpg, .dng, .3fr, .arw, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .cer, .crt, *.pem, .pfx, .p12, .p7b, .p7c

Once it detects a file that matches the extension, the file is encrypted using a public key, and sends a message to you demanding a ransom to decrypt the files, usually between $100 and $300. The ransom must be paid using prepaid cards or Bitcoin.

The Cryptolocker virus screen will display a timer stating that you have 4 days, or 96 hours, to pay the ransom. If the ransom isn’t paid, it will delete your encryption key, leaving your files inaccessible forever. However, once the payment has been made, the decryption will begin to take place.

How to Prevent Cryptolocker From Holding You Hostage

First, it’s important to back up all of your files, including documents, images, and spreadsheets. Find a safe place separate from your PC or network, such as a portable hard drive or cloud-based service. Running an anti-virus program can help to block compromised websites; If you already have anti-virus protection, make sure it’s up to date. Also be sure to set up a reliable firewall for email protection. However, a software restriction policy is the most effective tool to prevent a Cryptolocker infection. There are two kinds you can use— Software Restriction Policies or enhanced AppLocker Policies:

  • Software Restriction Policies

With software restriction policies, you can prevent or control the execution of specific programs through Group Policy. This means you can block executable files from running in the user-space areas that CryptoLocker uses to launch the ransomware.

  • AppLocker

AppLocker works on Windows 7 Ultimate, Windows 8 Pro, or Windows 8 Enterprise editions. If you’re using Windows XP or Windows Vista, AppLocker isn’t compatible with your operating system. With AppLocker you can block programs from running, and prevent Cryptolocker ransomware infections.

Mitigation: How to Restore Encrypted Files.

If your computer has already been infected with Cryptolocker, there are a few mitigation techniques to remember. A tool called Shadow Copies, an integral part of the System Restore feature in Windows, is used in both techniques.

  • Restore Previous Versions

In order to restore the previous version of a file, right-click the file and choose “Properties.” As long as “System Restore” or “Shadow Copies” is enabled through Group Policy, you can access the “Previous Versions” tab in the “Properties” window that contains previous versions of files you created. Choose a version that was saved on a date before the infection took place, and simply click “Copy” or “Restore.”

  • ShadowExplorer

This is a free, downloadable tool that allows you to access all of the shadow copies in your system. This is particularly helpful when Cryptolocker infects a large number of files. When you install and run ShadowExplorer, select the drive and shadow copy date/time from the menu at the top of the window. Choose the file and right-click, then select “Export.” While previous versions may not be current, it’s better than losing them altogether, or paying a ransom to obtain the recent version.

Ransomware Threats Are Ever Increasing and Changing.

The prevalence of ransomware is growing rapidly. Cryptolocker appears to be the most dangerous and harmful version to date. In most cases, ransomware does something like freezing your computer, which is ultimately fixable. Cryptolocker, on the other hand, encrypts all of your important files. It’s important to be aware of the potential harm this type ransomware can cause and be prepared to prevent and mitigate it.

It’s essential that you stay informed regarding the prevention and mitigation of ransomware and Cryptolocker.  We’ll provide updated information as we receive it, so visit our site frequently to learn how to protect your valuable data!    

We're Integris. We're always working to empower people through technology.

Keep reading

Updating Your Bank’s Security Training for the Age of AI

Updating Your Bank’s Security Training for the Age of AI

How much could AI-driven models like Copilot for M365, Google Gemini, or Apple Intelligence improve the productivity at your bank? The jury is still out on that one, but initial experiments place the overall AI-driven productivity gains for the US economy at between 8...

What to Know Before Installing Co-Pilot for Microsoft Word

What to Know Before Installing Co-Pilot for Microsoft Word

Imagine having an AI assistant that pulls from your notes, marries them to an existing document format, and writes a document for you. That's the power of Copilot for Microsoft Word, which is planned for rollout in 2024 for those who buy the Copilot M365 license....

Bridging the Gap between Automation and Innovation

Bridging the Gap between Automation and Innovation

Automation and Innovation. Some people might say those two words cancel each other out. Yet, I believe these two concepts can create capacity for each other—if your business leverages the free time automation creates to foster innovation. Automation can be...