The malware – known as CryptoLocker by several security vendors – actually encrypts the user’s files, and presents them with a ticking clock to ram the message home about the time limit.
The good news is that the malware decrypts the user’s files as soon as the ransom is paid, but unconfirmed reports suggest that, once the 100 hours are up, the program code disables itself – without decrypting the files and folders.
The author of the code is unknown, but the malware is spread via the usual array of Fedex and UPS tracking notifications, with CryptoLocker installing itself within the PC’s `Documents and Settings’ folder, where it scans the hard drive and encrypts all files with MS-Word and Adobe suffixes.
Because the ransom is payable in Bitcoins, ITSP notes that tracing the author/user of the ransomware is going to be difficult, if not impossible, although some security forum posters suggest that a well-known Ukrainian cybercriminal group may be behind the campaign.
According to Alberto Ortega, AlienVault’s research team engineer, CryptoLocker – tagged as Crilock.A by Microsoft – is notable for accepting MoneyPak, Ukash, cashU and Bitcoin as payment methods.
The malware, he says, uses a command-and-control IP address that is actually a sinkhole, meaning that the actual end IP address could change from day to day.
After investigating the infection and its user trail, Ortego claims that the author of the code is not generating as much money as they would appear to like, as Bitcoins are still, he notes, mainly being used by people with a modest technical background, who are usually tech savvy, and less affected by malware infections.
“In one way or another, you should never pay to release your files. Try to clean your computer with an antivirus, they even have tools for these kind of infections,” he says.
Affected users, he adds, should also be prepared to use their back-ups, as well as looking for help and IT assistance, as well as contacting the local authorities for assistance.