Fact Check


Warning about CryptoLocker malware that holds computer files for ransom.

Published Oct 23, 2013

Virus:   CryptoLocker


Example:   [Collected via e-mail, October 2013]

there's a rumor going around that there's a virus called CryptoLocker. It apparently takes all of your files and you have a specific amount of time to pay the person the money they want for you to give it back. You cannot get rid of the virus without wiping your entire computer of all files and nobody's cracked it down yet... The big name virus companies don't even know about the virus quite yet.


Origins:   The so-called "CryptoLocker virus" is an example of ransomware, a class of malware that, once it has infected a particular computer system, restricts access to that system until the user pays a ransom. CryptoLocker is a particular form of ransomware known as cryptoviral extortion, a scheme in which key files on the system's hard drive are encrypted and thus rendered inaccessible to the user unless and until that user pays a ransom to obtain a key for decrypting the files.

The CryptoLocker worm is generally spread via drive-by downloads or as an attachment to phony e-mails disguised as legitimate messages from various business, such as fake FedEx and UPS tracking notifications. When a user opens such a message, CryptoLocker installs itself on the user's system, scans the hard drive, and encrypts certain file types, such as images, documents and spreadsheets. CryptoLocker then launches a window displaying a demand for ransom (to be paid in less-traceable forms such as Bitcoins and Green Dot Moneypaks) and a countdown timer showing the date and time before which the user must submit payment in order to obtain the decryption key before it is destroyed:

According to various accounts, users whose computers have been infected by CryptoLocker have been able to restore their files by paying the demanded ransom (usually $300 to be paid within 72 hours), and computer security companies haven't yet come up with a solid defense against the CryptoLocker malware:

If the ransom is paid before the deadline, a key is given to decrypt the files. If not, the key is destroyed and the files are effectively lost forever. Even advanced software security companies don't really have ways to restore the locked hard drive. Catching the hackers behind CryptoLocker may be the only way to retrieve the files.

The good news is that paying the ransom does actually decrypt the files, and the hackers behind CryptoLocker so far have been honest and not reinfected computers after the ransom is paid.

Security companies are working on a protection, but there isn’t one yet. Users should remain vigilant about their security online, double-checking the legitimacy of links received in emails and social media messages.

As the Guardian noted of CryptoLocker and its victims:

"If you haven't got a backup and you get hit by CryptoLocker, you may as well have dropped your PC over the side of a bridge," says Paul Ducklin, security adviser for anti-virus software company Sophos. Even if you had backed up your files, he says, if your back-up device was connected to your computer when CryptoLocker struck, you may not be able to recover them. Similarly, all the files in shared network drives that were connected at the time of the attack could also become encrypted and inaccessible.

CryptoLocker currently only affects PCs and can easily be removed with anti-virus software, but its effects cannot. "I don't think anyone in the world could break the encryption," says Gavin O'Gorman, spokesman for internet security firm Symantec. "It has held up for more than 30 years."

Ryan Rubin, MD of global risk consultancy Protiviti, agrees: "CryptoLocker has been designed to make money using well-known, publicly available cryptography algorithms that

were developed by governments and other [legitimate] bodies. Unless you have the key, you simply cannot unlock the data that is encrypted."

So should anyone hit by CryptoLocker pay up? "You'd be in the same situation if your laptop got stolen — it just feels worse because you know that there is someone out there who has got this key. If your data is worth $300 to you, it must be very tempting to pay up, just in case it works," Ducklin says.

According to Symantec, around 3% of people hand over money in the hope of getting their data back. "But remember, you're dealing with criminals," Rubin says. "There is no guarantee they'll send you the key, and if they know you're susceptible to blackmail what is to stop them from doing it again?"

Bear in mind that every penny you pay them will fund their endeavors to target other victims. "If even a few victims pay then the cybercriminals will think they have got a viable business model and keep infecting people and asking for ransoms. If nobody pays, they will stop these campaigns," says Dmitri Bestuzhev, spokesperson for Kaspersky anti-virus software

Additional Information:

  CryptoLocker (Sophos)

Last updated:   23 October 2013


    Ducklin, Paul.   "Destructive Malware 'CryptoLocker' on the Loose — Here's What to Do."

    Naked Security.   12 October 2013.

    Ferguson, Donna.   "CryptoLocker Attacks That Hold Your Computer to Ransom."

    The Guardian.   18 October 2013.

    Neal, Ryan W.   "CryptoLocker Virus: New Malware Holds Computers for Ransom."

    International Business Times.   21 October 2013.

David Mikkelson founded the site now known as snopes.com back in 1994.

Read More

a Member

Your membership is the foundation of our sustainability and resilience.


Ad-Free Browsing on Snopes.com
Members-Only Newsletter
Cancel Anytime