E-mail is the favorite channel of hacking. In particular, cyber criminals are making more and more elaborate phishing campaigns to deceive users and "force them" to download the ransom virus and install it on their computer. Like any other phishing campaign, malware is self-replicating and spreads on the web, exploiting the email address of the infected computer.

It therefore spreads as a seemingly harmless e-mail file attachment and gives the impression of coming from legitimate institutions or known contacts; Attached to the e-mail there will be a ZIP file containing an executable file via an icon and a pdf extension.

At the first start, or click the icon, the malware is installed on the computer with a random name by adding a key to the log that puts it in the startup automatically. Subsequently, the malicious software connects to its command and control server, generating a 2048 bit RSA key that will be forwarded to the infected computer.

Malware then begins encrypting hard disk files, saving each encrypted file to a registry key.

Encrypted files and data, mainly some extensions (Office, Open document, images, Autocad files and other documents).

At this point, the malware warns the user of encrypting and encrypting their files, requiring a redemption payment with an anonymous and prepaid voucher or Bitcoin to decrypt files. The redemption fee must be executed within 72 or 100 hours, otherwise the private key will be permanently deleted and no one will ever be able to restore the files. The ransom payment will allow the infected user to download a decryption software with the unlock key.

Even after paying the ransom, no full decryption of files and data is assured, since obviously you will never know who you paid this money.

Even if CryptoLocker was removed immediately, the edited files encrypted will remain the same.

If you are infected with CryptoLocker ransomware, it's important not to delete anything, disconnect your computer immediately from the network, avoid interacting and infecting other computers or disks connected to it and immediately contact industry professionals to limit viruses.

The decryption resources and software provided to industry professionals allow you to block malware and at least safeguard data that is not yet encrypted.

More and more frequent are the technical studies that are specializing in the recovery of this type of compromised data, encrypting a 2048 bit key remains a difficult task, however, it seems that at least some versions (perhaps older ones) have been found Solutions, then just contact one of these companies and send 3-4 infected files, they might be able to help you.

It is essential, then, to have a backup with which to reset the PC if it does not hesitate to block the ransomware infection beforehand: this will allow you to have a copy of all the files on the disk without having to pay the ransom. Of course, backups must be performed on an external hard disk when disconnected, so that it is not physically connected during an "attack".