CryptoLocker Ransomware

CryptoLocker Ransomware Description

CryptoLocker Ransomware Image 1The CryptoLocker Trojan is a ransomware infection that encrypts the victim's files. CryptoLocker may typically be installed by another threat such as a Trojan downloader or a worm. Once CryptoLocker is installed, CryptoLocker will search for sensitive files on the victim's computer and encrypt them. Essentially, CryptoLocker takes the infected computer hostage by preventing access to any of the computer user's files. CryptoLocker then demands payment of a ransom to decrypt the infected files. CryptoLocker is quite harmful, and ESG security analysts strongly advise computer users to use an efficient, proven and updated anti-malware program to protect their computer from these types of infections.

The Outrageous Fee Asked by CryptoLocker

CryptoLocker displays an alarming message when the infected computer starts up. This message demands payment of 100 USD or Euro in order to decrypt the infected files. CryptoLocker also claims that attempting to remove CryptoLocker may result in the victim's files being locked forever. The CryptoLocker ransom message reads as follows:

'Your personal files are encrypted!
Your important files encryption produced on this computer: photos, videos, document, etc. Here is a complete list of encrypted files, and you can personally verify this…
To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USD / 100EUR / similar amount in another currency.'

To scare inexperienced computer users so that they will not take action to remove CryptoLocker, the ransom message continues by stating the following:

'Any attempt to remove or damage this software will lead to immediate destruction of the private key server.'

Why Paying CryptoLocker's Ransom is not Going to Help Your PC

There are several reasons why you should not pay CryptoLocker's ransom. You can see below some of them:

  1. There is no guarantee that paying CryptoLocker's ransom will decrypt your files.
  2. Paying this 'fee' will support malware developers, allowing them to create additional malicious content and target other computer users.
  3. Taking steps to remove CryptoLocker with a legitimate security program will not actually endanger your files or prevent you from decrypting them.

In several situations, it may be needed to use an additional decryption utility to restore your files to normal, usually from an external memory device. However, the best way to restore your files is to have a back-up at hand, a good security practice for all computer users.[tp>

Aliases: Win32/Trojan.33a, Inject2.BWZN [AVG], W32/Bitman.FO!tr [Fortinet], Trojan.Win32.Injector [Ikarus], Trojan.Win32.Qudamah.Gen.2, a variant of Win32/Injector.BXSI,, Artemis!E78654D43FCF [McAfee], Ransom:Win32/Tescrypt.A [Microsoft], Trojan[Ransom]/Win32.Bitman [Antiy-AVL], TR/Injector.502272.6, Trojan/Bitman.w, Troj/Ransom-AST [Sophos], Trojan.AVKill.36611 [DrWeb] and TrojWare.Win32.Ransom.Bitman.~NS [Comodo].

Technical Information

Screenshots & Other Imagery

CryptoLocker Ransomware Image 1 CryptoLocker Ransomware Image 2 CryptoLocker Ransomware Image 3 CryptoLocker Ransomware Image 4 CryptoLocker Ransomware Image 5 CryptoLocker Ransomware Image 6 CryptoLocker Ransomware Image 7 CryptoLocker Ransomware Image 8 CryptoLocker Ransomware Image 9 CryptoLocker Ransomware Image 10 CryptoLocker Ransomware Image 11 CryptoLocker Ransomware Image 12

File System Details

CryptoLocker Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 %APPDATA%\Microsoft\Crypto\sysgop.exe 276,883 3c282af747b4f70340dca3170d55ae29 245
2 %APPDATA%\Microsoft\Crypto\sysjar.exe 404,513 eb2cde846127106689d14afe7911bcec 150
3 %APPDATA%\Microsoft\Crypto\syspoz.exe 237,400 1b21b27589ddc173ba795213e108a096 38
4 %APPDATA%\Microsoft\Crypto\sysras.exe 220,726 881f86bf4bb4b9f0e993b2853a0a27cf 36
5 7F9C454A2E016E533E181D53EBA113BC 846,848 7f9c454a2e016e533e181d53eba113bc 14
6 КЫРГЫЗ РЕСПУБЛИКАСЫ сейчас КЫРГЫЗСКАЯ РЕСПУБЛИКА.docx.exe 545,454 acf9873c86e35b9bee0db158befe8163 7
7 %USERPROFILE%\Desktop\????? ?????\план части.docx.exe 305,099 bac4daf1ba563a5fdd01691441cedc9b 6
8 04fb36199787f2e3e2135611a38321eb 346,112 04fb36199787f2e3e2135611a38321eb 2
9 %USERPROFILE%\Desktop\Тесты по модулю Пищеварительная система для студентов 2-курса факультета лечебное дело.docx.exe 3,998,800 49115ff6fe4016169c24ff3783010321 1
10 E:\?? ?????????\Выписка из Протокола.docx.exe 296,581 06dbb0786866ec652b12ddfcc204a735 1
11 1d078f7168bd934908c48a33d8262b148640b67d0ab541ba117289233ee3a529.exe 204,916 251205f74931cdb80ad777ede58f2db2 1
12 220f5c315444e42553d6fac303ffc5b7e64981531b8071cf8ea611ea0e28543c.exe 237,684 cbdd1888c654c75810f9b00b27ec983c 1
13 3f157f579ada48b242e266c79ae23d4d718f8088979e549b33da3d694428bc77.exe 258,164 01209e975636fce1ee46b478ea8f1be7 1
14 488bbe6561723a37f6d16f217c4d95743ef23a9c8114af7ba8ccfdf22b12098d.exe 237,684 75bcebb2c5f72a80d31ecf66d7123634 1
15 5a3db1b897d89c616bf092553c05017e85fe904054f0fc060abf1bf8d9ba549f.exe 278,644 e7505809c814eb31fac9d8c44ac1d1ed 1
16 9d69a762a2e6f30af6b228ce99997f12be086e75a26a43f1b04436562fe93154.exe 258,164 593a053f756b22ced53daeb280be7a9a 1
17 aaffb5ebce953607389b8cc994091c7501edf33fe9952bf3440428dd4fd6f6d4.exe 237,684 6dbafa1c6c0879e652fa6aa5af489bbb 1
18 bdbf23021a8e97e4f327f40e3ab32e2015531a36d296f16387e860ec470c5702.exe 204,916 f69bdf61597fb32178967a1ccbaeb5ed 1
19 cab632fca64fc77a1f55168ad94561a8e98e47a6b27adcb5419e81fee90c959b.exe 237,684 8a3a3256e0a6916812d559f745775a89 1
20 cc9981e200e16cbcd07ed65cace21d4d3231e5f5692d3f3514dd3a4ae3fcec38.exe 204,916 852ba82c79a2f0866d32385ddbf543d4 1
21 ef364eaaaa0eafb0c2b07ce81155747e8ba94765936ffbddf898aeebea8d974c.exe 237,684 406631a8efc352d7c52766494c91a9d2 1
22 f4c355cb4edbd3ed33d72ffa40f8eff7db75bf0f5bbb05ba879485c18cb8e93e.exe 237,684 d7da5ca5ab0918d4ab5e0d93ef141b95 1
23 ff840253612375a5d1427bfe87ecdf70a8c809566dc74a21f63ee33e43108b3f.exe 212,394 3af29be2ef52803e26a8f0c1b57f0cbc 1
24 829DDE7015C32D7D77D8128665390DAB 257,024 829dde7015c32d7d77d8128665390dab 1
26 %UserProfile%\[RANDOM CHARACTERS].exe N/A
27 eb5eb336636e3f6cacf6c8db6bf4ea00 604,410 eb5eb336636e3f6cacf6c8db6bf4ea00 0
More files

Registry Details

CryptoLocker Ransomware creates the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS]"

Related Posts

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.


  • Ray:

    The ransom is now $300.

  • kishore:

    my machine has been attacked by the Cypto Locker ransomware, i remove but cannot open any files can you please help me how to decrypt these files

  • Harry Blazier:

    I have traced this malware to this file. PendingRename. This file will not allow me to remove/delete. Every time this file is regenerated, a new rename file appears. I have also used Hitman, and defender. Nothing has even found this problem. 2 days of tracking has led me to this finding!

  • Orval:

    I defeated a cryptolockup by rebooting from a cold start in safe mode, starting control panel and selecting Restore to an earlier but recent date. Worked for me.

  • MIchael Keller:

    I was hit with the Cryptolocker virus last fall. I have since removed it but the files are still encrypted. This includes many family pictures etc. it is this format: img 0862.jpg 1478 kb ebgwwxc file
    I have tried to use Pandaware ransomware to decrypt but it isn't working.

  • seymour:

    Just attacked our computer systems in the UK pretended from HSBC bank , sadly it was opened and hey presto system damaged. Recommend everyone to take a hard back up copy each month so you have something to go back to.

  • Danos:

    Make sure that ALL your backup drive(s) and/or Folders/directories are password protected. If not then Cryptolocker will attack your backups as well. If they are password protected they cannot be touched. It is important to do this, otherwise you may be unpleasantly surprised that your backups are non-recoverable.

  • Scott:

    I have a memory card that has a file of images blocked with CRYPTO BLOCKER. The files were never on the hard drive, only the memory card. Three computers I have put the memory card into register close to 900MB of data. This seems like too much data for the virus to have removed all the files from the card. Is there anyone who has had REAL success in decrypting these CRYPTO BLOCKER files?? Why is there so much data still reading on the card if the files are gone!?! Are there any memory card data recovery programs available? I am willing to pay a certain amount of money to someone who can demonstrate success in opening these files.Serious inquiries only please…

  • Andrew Wilson:

    On July 30 @ 7:30 PST i turned on my screen to find a note that said "oh no.. what happened to all your files & folders?"
    Not knowing what this was, I closed the page and restarted my computer.
    When it restarted I noticed it was not a good thing, EVERY DRIVE in my computer (4) was encrypted, and i must pay $500.00 USD (in Bitcoins) and they would send me a "secret key" to unlock.
    Needless to say, i have THOUSANDS of vacation photos, wedding, grad photos on their. LUCKY for me i have these saved "in the cloud" but all my personal email folders, word documents and my small business data is all done.
    Is it worth sending the money and "hope" i get the secret key back and support these (*)-holes and fund their multi million dollar fund. NO
    After speaking with my local NCIX computer store and reading & (trying) the solves on from You Tube i decided to kill all my drives and have a TALL drink and lick my wounds.
    Just thought i would share my story
    Andrew (Vancouver, BC, CANADA)

  • Scott:

    My father was conned today by these scum bags the going rate (22.9.15) is $500AUD.He received a cold call phone call informing him he had a virus on his computer.

    I just happened to drop in just as they were going to begin installing the malware and begin encrypting his files. Credit card stopped.

    I cannot believe in this day and age people are still getting done by these scum.

  • Bob:

    In Australia my pc has been infected and the price to get the key is now over $1200 AUD

  • Stuart Hart:

    I have suffered a CryptoLocker attack. Are you able to assist?

    Booking Form - SHS Accommodation.pdf.encrypted
    Property List.docx.encrypted

  • tsai:

    My PC be attacked by the Crypto Locker ransomware on Dec.13,2015. Though I had deleted the ransomware and PC can work normally, All the saved file become JPG. v.v.v., doc.v.v.v., - - .I can not open those v.v.v.file. Could you please advise me how to decrypt these files?

  • Bobbie:

    The ransom demanded from me was $700 USD. I am retired and on social security so obviously can not afford to pay these horrible people. I let the Crypto virus in on my computer by foolishly clicking on a pop-up request to update my Adobe Flash player. I understand that Java pop-ups can also be fakes as well. Just wanted to put that out there. I lost years of work I had done on a Genealogy project. I had backed up a lot of info on flash drives, but certainly not all of it. Makes me sick how these people can get away with this. Lost hundreds of photos and several thousand music files.

  • Marjolein:

    Just got the virus and it has encrypted all my photos and the ransom they are asking is 700 US Bitcoin dollars, makes me sick.

  • babarakos:

    mes fichiers sont infectés je ne sais plus les ouvrir ils me demandent une rançon

  • Fred:

    Here everything changed into .mp3
    i am not going to pay these idiotic and corrupt hackers.

    I have a good backup plan, only 3 days of work lost.

  • Dr Dik:

    Got the virus, demanded 3BTC which is over €1,000. Can't risk it not working. Lost half a novel.

  • jess:

    ive got encripted files and had to format my mac cos i got infected with paralels,how caan i restore my videos

  • LB:

    You cannot decrypt encrypted files.
    You must restore them from your backup.
    You do have a backup??
    If not. Pay and hope they will decrypt them or say goodbye to your files.
    And by the way, you should never use the computer normally with an account that has installation privileges. Change to an account with higher privileges ONLY when you need to install something.

  • Negamaluka:

    I was hit with the Aira crop encrypted , and everything was renamed, do you know something or some key for this? It seems a new virus and I don't find any information about, someone can help?

  • Prem:

    Infected overall data from ransomeware virus its encrypted the files .9fd2 and .cyber2 and file name also convert xydx6 like that please give solution for fixing it .

  • kenneth:

    all of my files has been encrypt please help me how to descrypt

  • ash:

    I have been working on a novel which is due for publishing and doing nights on the final touches. Half way through the book-everything on word and pics have been locked. We are in Malaysia- ransomed asked not known how much but should be high.Any help? I guess it would be taking the hardrive and reformatting as we do not know if the key would work if paid. what a bummer!

  • MD Ali Jan:

    cyptolocker attack on my notebook Date 29-04-2017. i lost every thing over 500GB of Data.I search every thing no solution find. anybody please help me i am very disturb.

  • Sathish:

    Infected overall data from ransomware(wannadecryptor.exe)virus its encrypted the files .file format name also convert WCRY like that please give solution for fixing it.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.