According to new research, the Cryptolocker malware has infected 250,000 PCs in just 100 days, potentially earning the gang behind the ransomware millions.

CryptoLocker Ransomware Trojan Bitcoin Payment Page
The CryptoLocker Ransomware holds your files to ransom unless you pay two Bitcoins before the time limit of 72 hours. After that, it costs 10 Bitcoins.

Research by Dell Secureworks Counter Threat Team (CTU) has shown that the cyber-criminals behind the CryptoLocker ransomware have successfully infected up to 250,000 systems and are mainly targeting victims in the US and UK.

Based on the number of systems contacting a server set up specifically by Dell Secureworks soon after the emergence of CryptoLocker in September, researcher Keith Jarvis puts the number of infected systems globally at between 200,000 and 250,000.

The Cryptolocker ransomware works by encrypting a user's hard drive and the only way to un-encrypt and regain access to the files is to pay a ransom within 72 hours.

If the ransom isn't paid, the files are permanently locked with no way of ever accessing them again - though recently the criminals behind the malware have added a late payment option for a much higher price.


In his report, Jarvis estimates that on a very conservative basis just 0.4% of victims have paid the ransom since CryptoLocker appeared four months ago.

The average ransom paid is around $300 (£183) and combining these figures with the number of systems infected, means that the crooks behind CryptoLocker will have earned somewhere in the region of $300,000 in just 100 days.

However this figure could be many times larger as Jarvis says the 0.4% estimate is a "minimum" and is "very likely many times" more than this, meaning potential earnings could already be in the millions for the gang operating CryptoLocker.

Jarvis adds: "Based on the duration and scale of attacks, [the gang behind CryptoLocker] also appear to have the established and substantial "real world" infrastructure necessary to 'cash out' ransoms and launder the proceeds."

Earliest samples

The earliest known samples of CryptoLocker were released on the internet on 5 September. The early samples were sent through spam emails targeting business professionals with a lure of a "consumer complaint."

In October the method of delivery changed when the researchers monitoring the ransomware noticed it was being distributed by the Gameover Zeus malware, in some cases via the renowned Cutwail bonnet.

This method of distributing malware is typical among cyber-criminals in Russia and easter Europe, and was one of the indications that the creators of CryptoLocker came from this region.

The other was the use of "bullet-proof" hosting services located throughout Russia and eastern Europe which the reports says are "indifferent to criminal activity on their networks or are complicit in its execution."

CryptoLocker is wholly controlled and operated by a single crew

Speaking to The Register, Jarvis said:

"The majority of command and control servers hosting the CryptoLocker malware are located in the Russian Federation or the former Eastern bloc states, showing a knowledge of these infrastructure providers, and it is evident from the messages alerting the victims that English is not the CryptoLocker Group's first language.

Jarvis added that unlike much of the malware in use by criminals today, CryptoLocker is not currently being sold to anyone other criminal gangs:

"We think it is wholly controlled and operated by a single crew, and not bought and sold on the underground."

This means a single group of cyber-criminals has made a lot of money in a very short period of time.

Delivery method

As well as changing the way the ransomware is spread, the creators of CryptoLocker have also changed the way payment is made.

When it was first released, CryptoLocker looked for payment of around $100 from victims to unlock the contents of the hard drive, but this soon escalated and settled around the $300.

The criminals behind the scheme also initially offered a large variety of ways for users to pay, including Paysafecard, CashU and Ukash, they now only accept MoneyPak and bitcoin.

MoneyPak is only available in the US and as it is a lot easier to process, it the main way people there pay the ransom. However outside the US, bitcoin is the main payment method as it is the only option available.

Initially the criminals were demanding 2 bitcoins in payment, but with the huge surge in bitcoin pricing, this was quickly cut to 1 bitcoin, 0.5 bitcoin and at the time of publication, 0.5 bitcoin.