Cryptolocker and Other Bitcoin Malware


Malware / Ransomware Alert

While viruses, malware, Trojans, and ransomware have existed for decades, we have become aware of a series of new and highly destructive ransomware attacks that are on the rise. These variants of ransomware can literally cost you tens of thousands of dollars, subject you to law suits and potential fines, ruin your credibility, and potentially put you out of business. We wanted to alert you to this increasing threat and give you an overview of what is happening and what you should do to protect your business.

What is the current threat?

Cryptolocker is a new and highly destructive variant of ransomware that is currently on the rise. Ransomware is malicious software (malware) that infects your computer and holds hostage something of value to you (data) in exchange for money. Older ransomware used to just block access to computers. Newer ransomware, such as Cryptolocker, takes your data hostage. With Cryptolocker, thieves use unbreakable encryption to make your files unusable and irretrievable without a decryption code. This forces victims to pay the thief a ransom for the decryption key to unlock the data.

Cryptolocker encrypts database files, Office files, picture files, Adobe files, etc. for any disk drive for which you have access, such as network drives, USB drives, as well as items in My Documents and the Desktop.  Once encrypted, these files can never be used again until and unless the files are restored from backup or decrypted.  Admittedly, in theory, you can pay the ransom to retrieve your files, but the payments sites have a possibility of getting shut down and the thief may just decide to not send you the code after receiving payment.

It usually gets installed on computers through people clicking on an attachment usually found in shipping or banking emails (UPS, FedEx, ADP, various large banks) that actually contain a virus and then demands that you pay to get your files back.  These files may appear to be PDFs, but usually are compressed files that contain EXE files that install and infect.  It is of utmost importance that end users be mindful of emails that they open.

It is also important to change your passwords, not only to something complex but to also change it on a regular basis.  We are available to assist with password management if required.



What can be done to prevent an infection?

1.       Malware is most often introduced into the network by users who unknowingly open files and/or emails from unknown sources. They then “allow” the malware program to run when prompted. NEVER open an attachment from an unknown source or if it does not look to be legitimate.

2.       Malware can also be introduced through the web. Your employees should be using the internet for business purposes only. Visits to non-business related sites should be prohibited.

3.       Google search results can lead a user to believe they are going to a legitimate business site when they are not. For example, a search for free Word templates may lead the user to a site that is designed to introduce malware. Make sure the sites you are visiting are legitimate and be cautious when downloading and executing anything obtained on the web.

4.       Use complex passwords (i.e. at least 10 characters, a mix of capital and lower case letters, number, and non alpha-numeric characters)

5.       NEVER share your password with anyone.

6.       Change your password regularly and at least every 90 days

7.       Insure that you have and are implementing a complete business continuity plan for backing up your files.

8.       Ensure that your virus/malware software is running and up to date on ALL computers on your network.

9.       Only provide users with the security rights that are needed to perform their job function. i.e. don’t give everyone Administrator access “just in case” they might need to get to certain files.

What to do if you believe you are infected?

1.       Power off the affected machine IMMEDIATELY

2.       Contact your Network IT provider IMMEDIATELY

(Following article taken from





Your computer screen freezes with a pop-up message—supposedly from the FBI or another federal agency—saying that because you violated some sort of federal law your computer will remain locked until you pay a fine. Or you get a pop-up message telling you that your personal files have been encrypted and you have to pay to get the key needed decrypt them.

These scenarios are examples of ransomware scams, which involve a type of malware that infects computers and restricts users’ access to their files or threatens the permanent destruction of their information unless a ransom—anywhere from hundreds to thousands of dollars—is paid.

Ransomware doesn’t just impact home computers. Businesses, financial institutions, government agencies, academic institutions, and other organizations can and have become infected with it as well, resulting in the loss of sensitive or proprietary information, a disruption to regular operations, financial losses incurred to restore systems and files, and/or potential harm to an organization’s reputation.

Ransomware has been around for several years, but there’s been a definite uptick lately in its use by cyber criminals. And the FBI, along with public and private sector partners, is targeting these offenders and their scams.

When ransomware first hit the scene, computers predominately became infected with it when users opened e-mail attachments that contained the malware. But more recently, we’re seeing an increasing number of incidents involving so-called “drive-by” ransomware, where users can infect their computers simply by clicking on a compromised website, often lured there by a deceptive e-mail or pop-up window.

Another new trend involves the ransom payment method. While some of the earlier ransomware scams involved having victims pay “ransom” with pre-paid cards, victims are now increasingly asked to pay with Bitcoin, a decentralized virtual currency network that attracts criminals because of the anonymity the system offers.

Also a growing problem is ransomware that locks down mobile phones and demands payments to unlock them.

The FBI and our federal, international, and private sector partners have taken proactive steps to neutralize some of the more significant ransomware scams through law enforcement actions against major botnets that facilitated the distribution and operation of ransomware. For example:

  • Reveton ransomware, delivered by malware known as Citadel, falsely warned victims that their computers had been identified by the FBI or Department of Justice as being associated with child pornography websites or other illegal online activity. In June 2013, Microsoft, the FBI, and our financial partners disrupted a massive criminal botnet built on the Citadel malware, putting the brakes on Reveton’s distribution. FBI statement and additional details.
  • Cryptolocker was a highly sophisticated ransomware that used cryptographic key pairs to encrypt the computer files of its victims and demanded ransom for the encryption key. In June 2014, the FBI announced—in conjunction with the Gameover Zeus botnet disruption—that U.S. and foreign law enforcement officials had seized Cryptolocker command and control servers. The investigation into the criminals behind Cryptolocker continues, but the malware is unable to encrypt any additional computers. Additional details.

If you think you’ve been a victim of Cryptolocker, visit the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (CERT) CryptoLocker webpage for remediation information.

The FBI—along with its federal, international, and private sector partners—will continue to combat ransomware and other cyber threats. If you believe you’ve been the victim of a ransomware scheme or other cyber fraud activity, please report it to the Bureau’s Internet Crime Complaint Center.


A fairly new ransomware variant has been making the rounds lately. Called CryptoWall (and CryptoWall 2.0, its newer version), this virus encrypts files on a computer’s hard drive and any external or shared drives to which the computer has access. It directs the user to a personalized victim ransom page that contains the initial ransom amount (anywhere from $200 to $5,000), detailed instructions about how to purchase Bitcoins, and typically a countdown clock to notify victims how much time they have before the ransom doubles. Victims are infected with CryptoWall by clicking on links in malicious e-mails that appear to be from legitimate businesses and through compromised advertisements on popular websites. According to the U.S. CERT, these infections can be devastating and recovery can be a difficult process that may require the services of a reputable data recovery specialist.


  • Make sure you have updated antivirus software on your computer.
  • Enable automated patches for your operating system and web browser.
  • Have strong passwords, and don’t use the same passwords for everything.
  • Use a pop-up blocker.
  • Only download software—especially free software—from sites you know and trust (malware can also come in downloadable games, file-sharing programs, and customized toolbars).
  • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if you think it looks safe. Instead, close out the e-mail and go to the organization’s website directly.
  • Use the same precautions on your mobile phone as you would on your computer when using the Internet.
  • To prevent the loss of essential files due to a ransomware infection, it’s recommended that individuals and businesses always conduct regular system back-ups and store the backed-up data offline.

If you have been victimized by ransomeware a good resource to start may be