The attackers behind the new version of the Crypt0L0cker ransomware seem to never get sleepy, bored or tired of their underground business. Although the name coincides with the above slang word, the ransom Trojan in question is very vigorous.
The infection uses a mix of RSA-2048 and AES-128 ciphers to lock down one’s important files beyond recovery. Then, it randomises filenames, appends random ышч lower alphabetic characters extension to all the encoded entries, and blackmails the victim for money otherwise the data will stay inaccessible.
The attack process looks really scary. The perpetrating code replaces the original desktop wallpaper with a dark warning image and also expresses its demands via ransom notes called -Instruction.bmp and -Instruction.html. The victim is told to download and install Tor Browser, a web navigation tool that provides traffic anonymity.
The next step is to visit a personal Tor page called Crypt0L0cker Decryptor, which elaborates on the terms for recovery. The ransom must be paid in Bitcoins and usually amounts to 0.5 BTC. Once the transaction is confirmed, the automatic decrypt tool is supposed to become available. No matter how ironical it may sound, a lot of people cannot afford the luxury of redeeming their proprietary files for money.
Users are much better off staying away from the Crypt0L0cker ransomware. How? It’s easy – do not click suspicious stuff on the Internet. All the Crypt0L0cker variants arrive with spam delivered over email or social networks. If you receive an attractive job offer from unknown organisation, an invoice, a suspicious ISP complaint or similar, stay away from the JS, HTA or SVG attachments. Also, make sure you have a plan B in case of a ransomware attack, so keep your most precious data backed up.