Backup the best defense against (Cri)locked files

Crilock – also known as CryptoLocker – is one notorious ransomware that’s been making the rounds since early September. Its primary payload is to target and encrypt your files, such as your pictures and Office documents. All of the file types that can be encrypted are listed in our Trojan:Win32/Crilock.A and Trojan:Win32/Crilock.B descriptions.

Crilock affected about 34,000 machines between September and early November 2013.

Once Crilock encrypts your file types, they are rendered unusable. The malware shows a message that covers your desktop and demands you pay a ransom to have access to your files again. The ransom can be paid with various online currencies such as BitCoin, CashU, MoneyPak, Paysafecard, and Ukash. Once you pay, the malware author will supposedly give you back the private keys used in encryption. However, we don’t recommend doing this as there is no guarantee that paying will lead to recovering your documents and, in effect, you’re giving criminals some of your hard-earned money.

Crilock message

Figure 1: The message that Crilock might display on your desktop

Crilock document upload

Figure 2: Crilock asks you to upload your encrypted documents and recover them for a fee

The Crilock authors have even setup an online payment scheme on the Tor network where affected people can upload their encrypted files for recovery.

Crilock encrypts your files using an AES-256 key that is unique to each file and then encrypts the file-specific AES key using a 2048-bit RSA public key. This is similar to the GpCode ransomware, which first came out in 2006 and used the same technique, but with RC4 first, and then 1024-bit RSA for encrypting the per-file key.

Crilock can be downloaded onto your computer by exploits or malware. For instance, we have seen Upatre download Zbot, which in turn downloads Crilock. Upatre has been heavily spammed in the past few months, and spam runs can be an effective way to distribute malware. This is discussed in detail in the blog post Upatre: Emerging Up(d)at(er) in the wild.

As shown in the chart below, Crilock has predominantly affected English-speaking countries, although it does have a comparatively small presence in non-English speaking locations as well. Every Crilock variant we’ve seen so far has a ransom message written only in English.

Crilock affected countries graph

Crilock affected countries map

Figure 3: Crilock-affected countries from September 2013 to early November 2013

Can you recover your documents without paying?

In some cases, you can recover previous versions of encrypted files. However, the following conditions must be in place:

  • System Restore Point must have been turned on before you were infected with Crilock.
  • You must already have detected and removed Crilock, and there can be no traces of it on your PC.
  • Your files must be on the same PC you're using to recover them (that is, the files aren't on a network or removable drive).

SkyDrive for Windows 8.1 also has a means of restoring previous versions of Microsoft documents. Similar to System Restore Point, you can look at the version history and recover files from a previous state.

Right-click on the file to see available version history

Figure 4: Right-click on the file to see available version history

Restore file from older known working versions

Figure 6: Restore file from older known working versions

You can find more information about restoring previous file versions below:

We’ve also added signatures based on Crilock behaviors to our antimalware products. This detection, Behavior:Win32/Crilock.A, can detect an infection before it infects and encrypts files.

Crilock is not the first malware to extort money by encrypting files and it certainly won’t be the last. However, you can help prevent Crilock and other malware, from infecting your PC by:

  • Keeping your operating system and antivirus product up-to-date.
  • Being careful about which files you download (and where you download from).
  • Being cautious about which attachments and links you open.

Ransomware such as Crilock also emphasizes the importance of backing up your files on a regular basis. You can back up files by enabling System Restore, using manual syncing methods, or even by manually moving your files to a separate drive.

Marianne Mallen and Karthik Selvaraj

Comments (15)

  1. @Joe what about the variants of Crilock? Will Emsisoft as u said will protect you ? Without system patches security updates? Antivirus itself is only one matrix

  2. Regular Backup date is the best possible option.. in case something goes wrong you can restore.. But backups should be isolated from pc itself… else no point of backing up

  3. @deepak attrib is not related to encryption or decryption.. it is merely for system hidden file viewing purpose…

  4. Clay Taylor says:

    That map has Peru and Greece listed as part of the United States 🙂

  5. martinmm says:

    nasty stuff to scrap with . I think I fought with it once some time ago. I thought it was Microsoft making a mistake. not sure though. might have been both but I won some how through uncertainty and determination.  

  6. NotsoFun says:

    Backups! Have lost a server to this, but luckily restored from a backup. It can and will spread through your network to any and all machines it can.

  7. karthik says:

    Good catch Clay, corrected.

  8. dvk01 says:

    The best defence against this malware and other malware is not let it on in first place.

    Thousands or millions of users are infected because of the stupidity of hiding known file types being a default setting

    in Windows.

    Such a simple step that makes people look at what they are clicking on rather than relying on an icon that gets faked


    How many people in an office or even home users would  blindly click on picture or  picture.jpg in an email when they

    routinely get pictures sent to them but "might" be more cautious with picture.jpg.exe

    And the same applies to document.pdf

    Until we educate users (and admin) to forcibly set "show known filetypes" (and in an enterprise environment use Group Policy  to enforce it & stop users turning it back off )  we are going to have much more of this sort of malware attacking us.

    All these spam runs and emailed malware relies on social engineering tricks to get users to open the attachments.  You

    can tell a user not to click on .exe files until you are blue in the face, but  if they think they are opening a pdf or

    jpg  and not a .exe they don't see what they are doing wrong.

  9. Joe says:

    Use Emsisoft it blockes the Virus!

  10. Jason says:

    There's a really good article here on CryptoLocker:…/prweb11293018.htm it talks about the importance of backup and how bitcoin has helped make cryptolocker possible.

  11. Eduard says:

    Всё это прекрасно выше описанное) Но как быть тем, кто не регулярно сохраняет файлы на внешний жёсткий диск или не делает резервное копирование? Неужели такая корпорация, как Ваша – не может найти управу на этих ушлёпков? В моём случае вот их email – <removed> Найдите уже управу на этих гомодрилов)

  12. Deepak says:

    Attrib %systemdrive%*.* /s /d -h | echo off please try this in elevated mode command promt

  13. Cassandra says:

    Back up your files ELSEWHERE. External hard drive, DVD-Rom, or BOTH. (Belt AND suspenders)  It only takes a few seconds to do this and then they are SAFE even if you (in a moment of absent-mindedness) let a virus like this in.

    You just reformat your hard drive to its original condition and reinstall your files laughing all the while at the idiots who thought they could hold YOU to ransom.

    Oh…only attach external storage when you are doing a back up. Do NOT leave it hooked in. It could be compromised.

  14. Michael L says:

    i had data stored on a network attached storage bay, 2x1TB hard drives in RAID1 (mirror configuration)
    not only are my pc files locked (not many as i just moved them over to the NAS), all my files on my NAS are encrypted

Skip to main content