As you might remember, Cryptolocker is aimed at organisations instead of home users, as it encrypts files most likely to be crucial for organisations such as office files, digital certificate files, AutoCAD files, etc, and the email campaigns delivering it support that theory.
"For each file matching one of these patterns, the malware will generate a new 256 bit AES key. This key will then be used to encrypt the content of the file using the AES algorithm," the researchers explained when the malware was first discovered.
"The AES key is then encrypted using the unique RSA public key obtained earlier. Both the RSA encrypted AES key, as well as the AES encrypted file content together with some additional header information are then written back to the file. Last but not least the malware will log the encryption of the file within the HKEY_CURRENT_USER\Software\CryptoLocker\Files registry key. This key is later used by the malware to present the list of encrypted files to the user and to speed up decryption."
Unfortunately for the users, the RSA public key created for their system is only known to the attackers, as it’s stored on the C&C server the malware uploaded it to, and the users are asked to pay 300 dollars/euros (or 2 Bitcoins) in order to receive it. The offer usually stands for 72 hours, after which, the crooks claim, the key is deleted forever.
But, according to Paul Ducklin, that might have been an empty threat, as the crooks have now set up a CryptoLocker Decryption Service where the victims can upload one of its encrypted files and wait for the criminals to notify them if their key can be found. If it can, the user will have to pay an even greater price: 10 Bitcoins (currently around $2,220).
Whether this “service” actually works, and whether the crooks will send the key in case the victim decided to pays is unknown. The best mitigation against the adverse effects Cryptolocker and ransomware in general can have on your computer is still to regularly update your critical files.