"Some will stoop to a very low level," he continued, "where they'll display child pornography and other nasty images on a person's computer."
Ransomware, like Reveton, frightened consumers, but measures could be taken to foil them. "A lot of it was easy to get around," said Adam Kujawa, a malware intelligent analyst at Malwarebytes. "You could boot in Safe Mode or from a CD and remove it that way."
Removing malware like CryptoLocker doesn't solve the problem, he added. "Even if you remove the infection, the files are still encrypted," he said. "It's no longer about removing the actual infection. It's about getting those files back."
Ransomware writers experimented with encryption before CryptoLocker. In 2007, a strain of bad app called GPCode, or Sinowal, encrypted files on the machines it infected, but the encryption was weak and easily broken by crypto pros. Encryption was also part of the repertoire of a strain of Reveton that appeared early in 2013, but since the malware's author provided no way to decrypt the files, there was little incentive to pay the ransom after the infection was removed from a machine.
Those kinds of mistakes weren't made by CryptoLocker's crew. Moreover, they have managed to strike just the right balance for success. "They figured out the balance of money to charge, malware protection and spread," said Lysa Myers, a security researcher with Eset.
"If you spread too much, your malware is too easy to find and you can be shut down," she explained.
The CryptoLocker crew also know the value of maintaining good customer relations. "They're honoring people who do pay the ransom," said Jarvis, of SecureWorks.
"In most cases they're sending the decryption keys back to the computer once they receive payment successfully," he explained. "We don't know what the percentage of people who successfully do that is, but we know it's part of their business model not to lie to people and not do it."
Moreover, in November, they began offering support to victims who, for whatever reason, fail to meet the hijackers' ransom deadlines. By submitting a portion of an encrypted file to the bad actors at a black website and paying the ransom, a victim can receive a key to decrypt their files. "You have to reinfect yourself with the malware but once you do that, you can get a successful decryption," Jarvis explained.
CryptoLocker's perpetrators have also benefited from improvements intended to better protect data. Encryption has long been challenging for many organizations, but as cyber attacks increased, the security industry strived to change that. "Over the last few years, file encryption has become easier to do," said Kujawa, of Malwarebytes.
Sign up for Computerworld eNewsletters.