Since its discovery in the wild in September 2013, CryptoLocker has held the title ‘the most damaging Windows ransomware Trojan.’ CryptoLocker appears to spread through fake emails, and once it reaches your device, it encrypts the files on your computer. As soon as it completes its malicious action, a message demanding a ransom of $100 or $300 in return for the decryption is displayed. The relatively large sum demanded, combined with a tight deadline (after which the file is lost forever), makes it appear more aggressive than other similar viruses.
But CryptoLocker’s programmers have not reinvented the wheel. This kind of business can be very profitable, so Russian cyber criminals cannot just pass it up. We heard mention of different kinds of locker malware on Russian forums already in 2005, when no-one had even heard about web currencies, which today is a very convenient way to settle a ransom payment.
Silence WinLocker first appeared on Russian trading platforms in early 2012 and sold for $250. This ransomware demanded a payment of $200 for an alleged violation of the copyright law. This was changed to accusations of visiting porn websites in more updated versions of the locker.
MultiLocker was another ransomware that sold for $899 in November 2012. Many underground forums members complained that it bore too close a resemblance to old versions of SilenceLocker.
Euro WinLocker sold for $1,000 in July 2012, and was marketed as Europe-oriented ransomware. However, sales were soon halted, owing to a financial conflict that eventually banned the seller from the two most important underground forums. He thus lost any chance of continuing to market his products. ULocker was another ransomware that appeared almost simultaneously with Euro WinLocker, and would demand 50 or 100 Euro to unlock the system.
Looking at more modern malware, we have the Winlock + BrowLock (that prevents the opening of new pages), which still sells today, for a percentage of the income.
As a general rule, Russian hackers do not like operating in their own country. Although it may look like a very patriotic act coming from such “tough guys”, the real reason is more likely that they are just afraid of getting caught and punished by the authorities. There are, of course exceptions, for example this “cute” contemporary locker malware, whose ransom demand is displayed in Russian.
Given this state of affairs, we can see that CryptoLocker is not the first ransomware and will surely not be the last.