The researchers with security technology company Bitdefender Labs revealed that more than 12,000 victims have been claimed in less than a full week by a nasty piece of malware known as CryptoLocker, which has been locking up computers with ransomware over the past couple of months.
“CryptoLocker servers are changed very often – it is rare that a command-and-control server remains online for more than a week,” according to a Bitdefender Labs post, which explains the reason for this is to avoid getting shut down by authorities. “However, once it has been reverse engineered, security researchers can pre-register the relevant domains and count connection attempts.”
Bitdefender Labs researchers did just that – they used Domain Name Server (DNS) sinkholes – and learned that 12,016 CryptoLocker-infected hosts attempted to contact the “sinkholed” domains. The bulk of those connections were traced back to Internet Protocol (IP) addresses in the U.S.
“In fact, judging by the distribution of infected hosts and the payment methods available, it would seem that only systems in the US are targeted, with the rest being collateral damage,” according to the Bitdefender Labs post.
CryptoLocker came on the radar in September as a trojan spreading through fake emails. The virus infiltrates then encrypts files in the user's computer and any mapped network drives. Once it has locked the user out, it demands a MoneyPak or Bitcoin payment within three days.
Victims who pay the ransom of two Bitcoins will receive a key that unlocks their encrypted files. The key was previously destroyed 72 hours after infection, locking the files permanently, but the developers updated CryptoLocker on Nov. 1 to allow recovery beyond the allotted time at a ransom of 10 Bitcoins.
“Almost all the CryptoLocker command-and-control servers also host a public payment service through which victims can purchase decryption keys,” according to the Bitdefender Labs post.