If you see this CryptoLocker image on your computer screen disconnect your computer from the internet immediately by removing your network cable or turning off the wireless connection. Also disconnect USB storage devices or network shares and turn off any cloud backup services you may use such as Dropbox or Office 365.

If you see an image like this disconnect from the internet immediately by removing your network cable or turning off the wireless connection. You should also disconnect USB storage devices or network shares and turn off any cloud backup services you may use.

CryptoLocker ransomware is a form of malicious software or ‘malware’ which encrypts your files. Criminals will demand payment to unlock your files and it can often prove difficult to clean up or remove from PCs, Macs and Android devices.

If you are infected with CryptoLocker or another common form of ‘crypto-ransomware’ and you do not have a recent backup of your files, your only option is to pay to decrypt your data.

The lockscreen shown above often sets a limit of 72 hours before the private key needed to unlock your files is permanently deleted.

How can I be infected by CryptoLocker ransomware?

Ransomware can be delivered as a file attached to an email, downloaded from a malicious website or received via a botnet command and control server if your computer has previously been infected and not properly cleaned up.

What are the most common ways infection can occur?

The most common route of infection occurs when someone opens a malicious file attached to an email, normally an Adobe PDF, that begins the file encryption process.

There are also some common email subject lines that encourage people to open the email and the attached file. These subject lines cover payroll or online banking alerts, parcel delivery dockets and other subject lines.

What happens if I open CryptoLocker ransomware?

Once opened, if your device is vulnerable, the ransomware will start looking for common types of files and encrype these with a one way method that then means your data can only be unlocked after a fee has been paid for the ‘private key’.

Note: If your computer is connected to a USB drive, local backup device, network storage system or automatically backs up data to the cloud it’s also possible for CryptoLocker ransomware to move onto these systems and encrypt files there too.

If you do not have your files backed up it is often impossible to decrypt your files without paying the ransom.

How can I defend against ransomware?

To reduce the risk of your files being encrypted you need to practice good online security – this includes learning about current dangers and encouraging other people to not open suspect emails or dangerous downloads.

You should also ensure your device is kept up to date and all vulnerabilities in the operating system and software is patched. To do this, we recommend you:

  1. Install, update and use anti-virus software: Most forms of ransomware are detected by anti-virus programmes so it pays to have up to date software. Check you have paid for a subscription and/or have downloaded the latest virus definition files that help block dangerous downloads.
  2. Backup everything: It is essential that you undertake regular routine backups in case your computer cannot be cleaned and you need to undertake a system restore or rebuild. Note that crypto ransomware can also target USB drives or network shares attached to an infected computer so be careful where you store your backups.
  3. Update everything: Check Microsoft Security Bulletins and ensure your systems are fully patched against known vulnerabilities. The Java and Adobe ‘helper apps’ are a common weakness on many computers too.
  4. Health check your computer: Use our free downloadable computer security checklist to stay secure online or PC users can use the Secunia Personal Software Inspector to look for weaknesses on their machines.
  5. Alert others to prevent more attacks: Please tell colleagues, friends and family who could be impacted by a ransomware infection about ways to protect their data.

What can business owners do to protect themselves?

Small business owners should ensure staff are aware of the CryptoLocker ransomware threat. Staff should know how to verify the sender of any emails with files attached and be wary of opening attachments routinely without thinking about them first.

If you operate a network, no matter how small, consider limiting staff access to network drives and sensitive files. Double check your backup process is genuinely working and cannot be infected across the network. If patching is left to individual staff, ensure machines have working anti-virus software and are up to date.

What do I do if my computer is infected?

If the CryptoLocker ransomware screen appears it is important you limit the impact of the file encryption process. You can do this by:

  • Disconnecting your computer from the internet immediately by removing your network cable or turning off the wireless connection.
  • Disconnecting any USB storage devices or network shares and turning off any cloud backup services you may use such as Dropbox or Office 365.
  • Talking to Netsafe for help.

If you are technically confident, consider investigating the registry values for CryptoLocker and terminate the process tree (see details below).

If you have disabled the virus and cleaned up your machine, try to restore files either from your own backup process or device or using Shadow Volume Copies, available on Windows machines from XP onwards.

You could use System Restore if confident the infection has been cleaned up or consider contacting a local computer expert for assistance and advice.

Note: There is no known way to retrieve the CryptoLocker private key without paying the ransom or decrypting the files without this key.

Can I get my back? How do I pay the CryptoLocker fee?

If you do not have backups to restore from or are unable to get your data back after consulting a local expert then paying the ransom may be your only option.

There are a variety of free tools that you or your technician may want to try before considering any payment to the hacker.

Netsafe is aware that some users have paid the ransom using bitcoins and then successfully recovered their files. We’re reluctant to advise anyone to pay a ransom in this situation but we recognise that this is the only option in some situations.

If you’re considering this option, please contact us for advice on 0508 NETSAFE.

More information about CryptoLocker ransomware

File types encrypted by CryptoLocker:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.

Registry Indicators:

The following advice is adapted from guidance published by bleepingcomputer.com and the US Department of Homeland Security and should only be used by confident computer users who understand the potential risks of modifying their computer registry. You risk damaging your machine and/or loosing more data if you are not familiar with the registry.

Delete the Registry values and files to stop the program from continuing the loading and encryption process. It is important to note that Cryptolocker spawns two processes. If you only terminate one process, the other process will automatically launch. You must use a program such as “Process Explorer” and click on the first process and select “Kill Tree”. This will terminate both processes at the same time. The encrypted data can then be restored via a backup.


HKCU\Software\CryptoLocker\Files (This key reportedly contains a list of encrypted files)

HKCU\Software\Microsoft\Windows\CurrentVersion\Run CryptoLocker = <Reference to file location>

File System Indicators:

Windows Vista and later: C:\Users\<username>\AppData\Roaming\{CLSID}.exe

Windows XP and before: C:\Documents and Settings\<username>\Application Data\{CLSID}.exe