Two cryptolocker ransomware cases in two days

By Brian Gill,

crypto-lockerUpdate: September 18, 2015

Although this post is nearly two years old, crypto viruses are still running rampant on the internet. Normally, computers are infected when a user opens a suspicious email or downloads otherwise questionable material containing the virus. Since there are still victims of the virus out there paying the ransom to regain access to their files, criminals are continuing to create copycat variations of the virus and prey on users around the world. This lucrative criminal industry has spread to mobile devices as well. Our CEO Brian Gill wrote this post, and it’s still applicable today. Read on to learn more about how the viruses work.

By Brian Gill

Interesting 24 hours here at Gillware. Yesterday we had a cloud-backup customer that had their computer infected with
CryptoLocker Ransomware

The virus targets important looking file extensions (doc(x) xls(x) jpg etc) and looks like it fully encrypts the contents with some flavor of AES. It doesn’t rename the extensions to (.rar .exe .aes .html) like some previous ransomware variants. Because of this, all of the files on the file system had their binary altered with the encryption in-place, and our backup solution uploaded the changed files as new revisions of each and every file that was changed. So, when the customer downloaded from the cloud they got a little panicked as the data that was downloaded was encrypted gibberish just like the data on their computer. Crisis was easily averted though as our solution keeps up to five revisions of any file by default (or more if the customer wants), so our tech staff just walked them through how to pull down revision N-1 and they were good to go.

Unfortunately the 2nd time we’ve seen this (today) was in attempting a data recovery of a large Buffalo Terastation, these folks weren’t protected by our cloud. After we did our normal data recovery process of cloning all the drives, figuring out the parity/rotation/stripe/offsets etc, determining the physical and logical volumes, ultimately the file system (XFS for the data volume) we determined that while all of the PDFs worked fine (100% file system consistency check by our software) but 100% of the OLE2 data types and other office types, picture types, were fully encrypted. It’s never fun telling a customer that hundreds of thousands of documents are unrecoverable, at least for now.

The customer is attempting to locate one of hundreds of desktops that had access to this share that was the root cause of the problem. With any luck, they’ll find it and get it to us. We have to hope that there’s shrapnel of the encryption key on that box somewhere and we can use that to untwist all these files. From reading some posts on the subject, supposedly you can pay 100 bucks to some shady payment system and it’ll give you a utility to perform the decrypt somehow. We’re making multiple copies of all this data for them so they can at least contemplate trying that if they choose to do so.

There’s a bunch of lessons to be learned here. First of course is to have automated strong backups. Second, make sure that backup has the ability to keep a revision history. Third, anti-malware is critical to a small business… but the malware protection suites are always one step behind. Fourth, IT admins should be taking a look at ways of monitoring massive amounts of changed files within a certain time-frame. Perhaps Open Source Tripwire® would have saved the day here, at least partially.


Your important files encryption produced on this computer: photos, videos, documents. etc. Here is a complete list of encrypted files, and you can personally verify this.

Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files…

To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USD / 100 EUR / similar amount in another currency.

Click to select the method of payment and the currency.

Any attempt to remove or damage this software will lead to the immediate destruction of the private key by the server.


CEO at Gillware, Inc.
After a successful IT consulting career I founded Gillware Inc. in Madison, WI to provide data recovery services from failed electronic media. Gillware is now one of the world's most successful data recovery labs, currently recommended by Dell and Western Digital.


  Comments: 5

  1. Excellent written description of this malware ransom. We just went through this 2 days ago. I do believe that there is some algorithm that determines the amount of data that is going to be encrypted, and the ransom fee is based on that number; ours was $300.

    We removed the infection, but were left with encrypted files. I actually think we got lucky from the standpoint that a website was provided to re-create the malware so that we could pay the hostage fee and get access to our data. it took about 2 hours for them to collect on the no-tell credit card and approximately 13 hours to decrypt all of the files. I am reasonably certain that a copy of our files are being reviewed by the crooks for additional stealing.

    • Our business just got hit and our production data has been recovered but there was one share with some clinical data with no backups. From all I read, the crooks just take your money and do not provide you with a key…Can I contact you or can you email me. Also there was no evidence that our data was transferred out of our server, there was over 300Gig that was infected, our backups saved the day, but we must have some of our staff come in and enter data all weekend. Thanks..

  2. One of my business customers was attacked by cryptolocker and we saw, fairly quickly, that paying the $300 ransom was the fastest and cheapest way out of this jam.

    From just about every report I have heard it was a business that was hit.

Your feedback