CryptoLocker and Variants

Best thing you can do with this one is to have OFF SITE BACKUPS.
If you get the CryptoLocker, your files are gone.  Sorry, they’re gone.  Hope you have a backup.

You can restore from a backup if you have one.  If the backup is attached to your network, then most likely it will be encrypted too.


  1.  You can pay the $300.  Yes, this works, but it will cost you.  Use a purchased loaded card from WalMart to pay for this.  Do not use your regular Credit Card or banking info.  Go buy a card and use that.  You will actually get your files back, and you will enable the villians to do more like this.
  2. If you remove the virus before you pay the crooks, you will NOT be able to decrypt any files.
  3. Most variants only give you 72 hours to get a card and pay them.  If this is your choice, don’t wait till the end.
  4. Or, you can format your drive, lose all the data, and reinstall windows from scratch.  Next time, set up a backup.


  1. Format your drive.
  2. Boot to your Windows DVD.  Run the Backup Recovery from the DVD.  You’ll be done in about an hour or so.


CryptoLocker and the variants usually come in via an email with an attachment.  The virus authors will craft the message in such a way that you will be compelled to open the attachment.

Some compelling messages I have seen:

  1. FedEx could not deliver a package, click here for details.
  2. You are being audited by the IRS and are required to respond:  Click here for details.
  3. Microsoft has found viruses on your PC.  Click here
  4. Your order has been processed and shipped, and $712.98 has been debited from your account.
    For details of the order, Click Here:
  5. Network Solutions found viruses on your website and your Domain Name is being suspended:
    Click Here for details.

See anything common?  Click Here:  <– Just don’t do it.

New compelling techniques are being crafted all the time.  Above is meant to show the style of the attack, not the specifics.  The main points are: that your must click on something, and they will devise a story so compelling that you simply must click on the link.  Don’t do it.

So, and order has been shipped?  Don’t click on the link.  Close the email and open a web browser.  Go to your bank and see if you really have paid $712.98 to someone or not.  Bet you have not.  Re-open your mail and delete that one.

IRS never emails.  They will send registered, signature receipt via the USPS mail person.
FedEx never emails. They will leave a little yellow stickie on your door.

Slow down.  Think about what you are about to click on.  If it is too good to be true, or too bad to be true, it may well be a well crafted email designed to make you click on the link.

Close the email. Go to the real website yourself and check out your account(s).
Bet the complaint is not even true.

Eric Anderson, Consultant