A long-running ransomware known as CryptoLocker is continuing to lock victims out of their files and demand payment to restore access. The malware targets computers running Microsoft Windows and has already affected users across multiple regions.
CryptoLocker encrypts files on an infected system and displays a ransom message. Victims are told their data is locked and are given a deadline to pay. The demanded payment usually ranges from $100 to $700 or the equivalent of two bitcoins. If the deadline passes, victims are warned they may permanently lose access to their files.
Researchers and security forums report that the group behind CryptoLocker has now launched a separate website offering a decryption service. The site allows victims to buy the private decryption key even after the malware itself has been removed from their system.
According to reports, the ransomware installed on infected computers asks for two bitcoins, roughly $450 at current exchange rates. The new website, however, charges a much higher fee. Victims are asked to pay 10 bitcoins, or about $2,100, to recover their files through the service.
The decryption service is hosted on infrastructure linked to Russia and is reachable through both the public web and the Tor network. The operators appear to present the site as a customer support portal for people affected by CryptoLocker.
The reason for launching this service appears to be practical. Most major antivirus vendors have issued updates that can detect and remove CryptoLocker from infected systems. While removal stops further damage, it also prevents victims from paying through the malware itself, cutting off the attackers' ability to collect ransom payments.
By moving the payment and key delivery process to a standalone website, the attackers ensure they can still collect money even after the malware has been deleted. Victims can upload one encrypted file to the site, which generates an order number and shows details such as the infection time and the victim's public encryption key.
The site then prompts the victim to pay 10 bitcoins for the private key. Once payment is confirmed, the service allows the download of a decryption key and a tool that can unlock all files encrypted by CryptoLocker. Victims who already paid the original ransom are reportedly able to obtain the decryption tools at no extra cost.
CryptoLocker infections have been observed worldwide, including in Europe, the Middle East, North America, and the Asia-Pacific region. Reports suggest that roughly 64 percent of known victims are located in the United States.
Security firms continue to describe CryptoLocker as a serious global threat. There is still no universal way to decrypt files without the attackers' private key. Some security vendors, including Bitdefender, have released tools designed to block CryptoLocker before it can encrypt files, but these tools do not recover data once encryption has already occurred.
