CryptoLocker – the Pioneer

CryptoLocker – the Pioneer


  • Name: CryptoLocker
  • Other names: –
  • Apparition: 2013-09
  • Peek in popularity: 2013-11 (based on Google Trends)
  • Status: Extinct
  • Disappearance: 2014-06 (cause: Operation Tovar)
  • Distribution vectors:
    • Malspam: used massively at the beginning, then marginally with PPI
    • Pay-Per-Install: via GOZ botnet (Game-Over Zeus)
  • Affiliation program: Yes (exclusively with GOZ?)
  • Group ties: Zeus or “business club” (Slavik and co)
  • Specificities/Novelties:
    • Use of a botnet to distribute the ransomware
    • Design which inspired a great number of rivals (including Cryptowall)
    • Payment via Bitcoin
    • Infrastructure and payment sites on TOR
  • Cryptography:
    • RSA 2048 for master key
    • AES 256 for file encryption (one key per file)
  • Command and Control:
    • DGA (Domain Generation Algorithm) used
    • HTTP POST (encrypted with RSA)
  • Geo-targeting: English-speaking countries (English only ransom note)



The first recorded occurrence of CryptoLocker release into the wild was at the beginning of September 2013. Emsisoft published a blog post detailing all of this new ransomware characteristics.


During its short life, the malware didn’t evolve so much in its coding. Indicating that its author were contempt with its functionalities. Only the amount displayed increased exponentially as a function of its popularity. At first, the ransom was of 100 USD, then at the end of its life it requested 500 USD.


The malware was not seen in the wild after Operation Tovar was put into motion in May 2014.

Their main delivery method being the GOZ botnet, which was shutdown during the operation,  the CryptoLocker actors likely went underground.

As to whether these actors and the GOZ actors were the same, it’s still unknown as of today.

My opinion:

As the two actors had separate infrastructure, different ways to cash-in and different goals.

It’s possible that we’ve two different actors (with close ties).

One thing is certain though, this ransomware created a great turmoil and set a trend which has not stopped in more than three years.

Ransom notes


CryptoLocker ransom note
First recorded ransom notes


The design of the ransom notes was simple, yet sufficiently scary to entice users to pay, featuring a bright red fading background. Compared to Reveton, it is not targeting a specific audience (English only) or trying other scare techniques (IP displayed, laptop camera display).

It displayed a large logo on the left with their signature shield, as well as a timer indicating the time left to pay the ransom before the private key is destroyed.

The instruction on the right were almost clear , but indicated that the writer wasn’t a native speaker.

This design was so impacting that other malicious software groups began to copy it. Indeed, CryptoWall, one of the still-active crypto-ransomware began its career as a copycat, as well as TeslaCrypt.

Others, like TorrentLocker, simply used the name “CryptoLocker” in their ransom notes, to play on its notoriety.



To pay, victims had two main options:

  • MoneyPak (preferred payment for the Reveton ransomware): 80% of all payments
  • Bitcoin: 15% of all payments


CryptoLocker Bitcoin ransom
Display of the Bitcoin ransom note

CryptoLocker didn’t relied on external site to cash-in their victim. They simply had to enter the transaction code or the moneyPak in the same window. This was sent to a hidden server over TOR, which gave access to the decryption key.


Nowadays, crypto-ransomware only receive Bitcoin and rely on external website. We therefore see a transition from the old way of paying via cash card to a crypto currency more easily laundered and faster to cash-in.