CryptoLocker Ransomware

CryptoLocker Ransomware Description

CryptoLocker Ransomware Image 1The CryptoLocker Trojan is a ransomware infection that encrypts the victim's files. CryptoLocker may typically be installed by another threat such as a Trojan downloader or a worm. Once CryptoLocker is installed, CryptoLocker will search for sensitive files on the victim's computer and encrypt them. Essentially, CryptoLocker takes the infected computer hostage by preventing access to any of the computer user's files. CryptoLocker then demands payment of a ransom to decrypt the infected files. CryptoLocker is quite harmful, and ESG security analysts strongly advise computer users to use an efficient, proven and updated anti-malware program to protect their computer from these types of infections.

The Outrageous Fee Asked by CryptoLocker

CryptoLocker displays an alarming message when the infected computer starts up. This message demands payment of 100 USD or Euro in order to decrypt the infected files. CryptoLocker also claims that attempting to remove CryptoLocker may result in the victim's files being locked forever. The CryptoLocker ransom message reads as follows:

'Your personal files are encrypted!
Your important files encryption produced on this computer: photos, videos, document, etc. Here is a complete list of encrypted files, and you can personally verify this…
To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USD / 100EUR / similar amount in another currency.'

To scare inexperienced computer users so that they will not take action to remove CryptoLocker, the ransom message continues by stating the following:

'Any attempt to remove or damage this software will lead to immediate destruction of the private key server.'

Why Paying CryptoLocker's Ransom is not Going to Help Your PC

There are several reasons why you should not pay CryptoLocker's ransom. You can see below some of them:
  1. There is no guarantee that paying CryptoLocker's ransom will decrypt your files.
  2. Paying this 'fee' will support malware developers, allowing them to create additional malicious content and target other computer users.
  3. Taking steps to remove CryptoLocker with a legitimate security program will not actually endanger your files or prevent you from decrypting them.

In several situations, it may be needed to use an additional decryption utility to restore your files to normal, usually from an external memory device. However, the best way to restore your files is to have a back-up at hand, a good security practice for all computer users.
Aliases: Win32/Trojan.33a [Qihoo-360], Trojan/Bitman.w [Jiangmin], TR/Injector.502272.6 [Avira], Trojan[Ransom]/Win32.Bitman [Antiy-AVL], Ransom:Win32/Tescrypt.A [Microsoft], Artemis!E78654D43FCF [McAfee], [Baidu-International], a variant of Win32/Injector.BXSI [ESET-NOD32], Trojan.Win32.Qudamah.Gen.2 [Tencent], Trojan.Win32.Injector [Ikarus], W32/Bitman.FO!tr [Fortinet], Inject2.BWZN [AVG], Troj/Ransom-AST [Sophos], Trojan.AVKill.36611 [DrWeb] and TrojWare.Win32.Ransom.Bitman.~NS [Comodo].

Infected with CryptoLocker Ransomware? Scan Your PC for Free

Download SpyHunter’s Spyware Scanner
to Detect CryptoLocker Ransomware

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in 'Safe Mode with Networking' and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

Screenshots & Other Imagery

CryptoLocker Ransomware Image 1 CryptoLocker Ransomware Image 2 CryptoLocker Ransomware Image 3 CryptoLocker Ransomware Image 4 CryptoLocker Ransomware Image 5 CryptoLocker Ransomware Image 6 CryptoLocker Ransomware Image 7 CryptoLocker Ransomware Image 8 CryptoLocker Ransomware Image 9 CryptoLocker Ransomware Image 10 CryptoLocker Ransomware Image 11 CryptoLocker Ransomware Image 12

Infection Statistics

Our MalwareTracker shows malware activity across the world. Explore real-time data of CryptoLocker Ransomware outbreaks and other threats from global to local level.

File System Details

CryptoLocker Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 %APPDATA%\WinXdd\winxddwp.jpg 81
2 %APPDATA%\WinXdd\winxdd.exe 80
3 %PUBLIC%\WinTmt\wintmt.exe 290,816 691dd5160d6d9101f68b4a5842890a7f 42
4 %WINDIR%\icagubuz.exe 286,720 da1e4e22f1f7d3238e2ccc01388c2b21 14
5 %SystemDrive%\8d57c76f\8d57c76f.exe 171,008 b2cd3654231a0ba47e405bc99edfc736 5
6 %WINDIR%\iqosaqop.exe 465,920 00cb45c4efd4053cef8bb8567dc0638e 2
7 %WINDIR%\ufegapoj.exe 286,720 fe45e7e6c10b4671514182a2809b7d02 2
8 %APPDATA%\uixjlub.exe 502,272 e78654d43fcfeaf6c1c06b3ce4bb3712 2
9 %WINDIR%\ykyrixgd.exe 762,368 1674ea64057d7c196dc16260b45af752 2
11 %UserProfile%\[RANDOM CHARACTERS].exe N/A

Registry Details

CryptoLocker Ransomware creates the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS]"

Site Disclaimer


  • Stuart Hart:

    I have suffered a CryptoLocker attack. Are you able to assist?

    Booking Form – SHS Accommodation.pdf.encrypted
    Property List.docx.encrypted

  • Bob:

    In Australia my pc has been infected and the price to get the key is now over $1200 AUD

  • Scott:

    My father was conned today by these scum bags the going rate (22.9.15) is $500AUD.He received a cold call phone call informing him he had a virus on his computer.

    I just happened to drop in just as they were going to begin installing the malware and begin encrypting his files. Credit card stopped.

    I cannot believe in this day and age people are still getting done by these scum.

  • Andrew Wilson:

    On July 30 @ 7:30 PST i turned on my screen to find a note that said "oh no.. what happened to all your files & folders?"
    Not knowing what this was, I closed the page and restarted my computer.
    When it restarted I noticed it was not a good thing, EVERY DRIVE in my computer (4) was encrypted, and i must pay $500.00 USD (in Bitcoins) and they would send me a "secret key" to unlock.
    Needless to say, i have THOUSANDS of vacation photos, wedding, grad photos on their. LUCKY for me i have these saved "in the cloud" but all my personal email folders, word documents and my small business data is all done.
    Is it worth sending the money and "hope" i get the secret key back and support these (*)-holes and fund their multi million dollar fund. NO
    After speaking with my local NCIX computer store and reading & (trying) the solves on from You Tube i decided to kill all my drives and have a TALL drink and lick my wounds.
    Just thought i would share my story
    Andrew (Vancouver, BC, CANADA)

  • Danos:

    Make sure that ALL your backup drive(s) and/or Folders/directories are password protected. If not then Cryptolocker will attack your backups as well. If they are password protected they cannot be touched. It is important to do this, otherwise you may be unpleasantly surprised that your backups are non-recoverable.

  • seymour:

    Just attacked our computer systems in the UK pretended from HSBC bank , sadly it was opened and hey presto system damaged. Recommend everyone to take a hard back up copy each month so you have something to go back to.

  • MIchael Keller:

    I was hit with the Cryptolocker virus last fall. I have since removed it but the files are still encrypted. This includes many family pictures etc. it is this format: img 0862.jpg 1478 kb ebgwwxc file
    I have tried to use Pandaware ransomware to decrypt but it isn’t working.

  • Orval:

    I defeated a cryptolockup by rebooting from a cold start in safe mode, starting control panel and selecting Restore to an earlier but recent date. Worked for me.

  • Harry Blazier:

    I have traced this malware to this file. PendingRename. This file will not allow me to remove/delete. Every time this file is regenerated, a new rename file appears. I have also used Hitman, and defender. Nothing has even found this problem. 2 days of tracking has led me to this finding!

  • kishore:

    my machine has been attacked by the Cypto Locker ransomware, i remove but cannot open any files can you please help me how to decrypt these files

  • Ray:

    The ransom is now $300.

Leave a Reply

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as-is:
What is 5 + 2 ?