Frequently Asked Questions

« Previous
How do I connect a private computer to the department network?
Next «
How do I connect to a file server via SMB on macOS?

72. What is ransomware and CryptoLocker?

CryptoLocker is a ransomware trojan that targets computers running Microsoft Windows.
- Wikipedia on CryptoLocker

CryptoLocker and TorrentLocker infects computers running Windows via seemingly innocent email with links or attachments. There has appeared other ransomwares attacking Mac too.

Read more about ransomware, TorrentLocker and CryptoLocker on Wikipedia.

To be infected, the receiver has in most cases actively tried to open and execute the payload. The payload may be disguised as a Word-document, a script or something that give the impression that it is innocent. Do not open files or attachments you have not requested!

This (the example above in Microsoft Word) is not safe! Please be careful with Office files that require you to Enable Content. Enabling content may make it possible for evil macros to execute in Office allowing the attacker to take control of your computer.

This (the example above from Windows File Explorer) is an example of an opened .zip-file. .zip-files are in itself not dangerous it is just a way of storing one or many files into one compressed file, but it may be a way to bypass other simple security checks. For example the anti virus software may warn when downloading an .exe-file but may not warn when downloading a .zip-file.

This (the icon above) is an example of how an .js-file look like in the File Explorer. This file will run with the Windows Script Host (wscript/cscript) and execute and may download further potentially evil binaries. Windows Scripting Host also will run .jse and .wsf-files. Also note that a long file name like faktura.pdf.js may hide the real extension in File Explorer and show up as faktura.pdf which is a bit misleading. The real file name extension is hidden.

Even though a ransomware in itself easily can be removed, the files stay encrypted, waiting for a ransom to be payed in order to get the decryption key.

How to not get infected

What to do if infected

  1. Turn the computer off.
  2. Contact your local IT (helpdesk@bmc.uu.se) for help.
  3. Forward the evil mail to no-spam@uu.se so that the Uppsala University Security Division may adjust mail filter and network firewall rules.
  4. Change your passwords at the university. Change all passwords for all sites that you have automatically saved in your browser.
  5. In general, reinstall computer and restore data from backups or snapshots.

Lessons to be learned from CryptoLocker

Also read more

Read more from Europol's European Cybercrime Centre with friends at the No More Ransom! website.

The Uppsala University Security Division has courses in basic information security (in Swedish). Every chapters just takes 2-4 minutes. There are 16 chapters in total.

This entry cryptolocker was last modified 2018-03-23

This documentation is covered by GNU Free Documentation License.