* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com.au/blog/corporate/)
* [Threat Prevention](https://www.paloaltonetworks.com.au/blog/category/threat-prevention-2/)
* How Palo Alto Networks Ca...

# How Palo Alto Networks Can Stop CryptoLocker

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2013%2F11%2Fpalo-alto-networks-can-stop-cryptolocker%2F)  
[](https://twitter.com/share?text=How+Palo+Alto+Networks+Can+Stop+CryptoLocker&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2013%2F11%2Fpalo-alto-networks-can-stop-cryptolocker%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2013%2F11%2Fpalo-alto-networks-can-stop-cryptolocker%2F&title=How+Palo+Alto+Networks+Can+Stop+CryptoLocker&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/2013/11/palo-alto-networks-can-stop-cryptolocker/&ts=markdown)  
\[\](mailto:?subject=How Palo Alto Networks Can Stop CryptoLocker)  
Link copied  
By [Matthew Ancelin](https://www.paloaltonetworks.com/blog/author/matt-ancelin/?ts=markdown "Posts by Matthew Ancelin")  
Nov 18, 2013  
4 minutes  
[Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)  
[CryptoLocker](https://www.paloaltonetworks.com/blog/tag/cryptolocker/?ts=markdown)  
[ransomware](https://www.paloaltonetworks.com/blog/tag/ransomware/?ts=markdown)  
[WildFire](https://www.paloaltonetworks.com/blog/tag/wildfire/?ts=markdown)

The emergence of CryptoLocker in the past month means we're seeing the next iteration of ransomware. Extortion schemes involving encryption are not new, but seem to come in waves. The first ransomware known as ['AIDS'](<http://en.wikipedia.org/wiki/AIDS_(trojan_horse)>) dates back to 1989, with resurgent waves coming in 2005/2006 ([Gpcode](http://en.wikipedia.org/wiki/Gpcode "Gpcode"), TROJ.RANSOM.A, [Archiveus](http://en.wikipedia.org/wiki/Archiveus "Archiveus"), [Krotten](http://en.wikipedia.org/wiki/Krotten "Krotten"), Cryzip, and MayArchive) and then again more recently in 2010 when the Russian Mafia put out WinLock and other variants.

CryptoLocker is different. It uses a 2048-bit key and the RSA algorithm to encrypt specific file types on the victim's local storage and any other network mapped drives. The user or owner is then presented with a demand for $300 to $3000 payable through [BitCoin](http://bitcoin.org/ "BitCoin"). Once CryptoLocker has successfully encrypted the data, it is computationally infeasible that even a dedicated distributed decryption effort would crack the encryption within a lifetime.

Palo Alto Networks next-generation security platform is not able to help once the data is encrypted -- so far, we haven't seen a platform that can. But the good news for Palo Alto Networks customer is that our platform is more than capable of stopping the attack from reaching its final phase.

Think of the typical network attack lifecycle: 1) recon/bait end user, 2) exploit system, 3) download backdoor, 4) establish command and control, 5) steal or damage. CryptoLocker needs to get to phase 5 before encryption begins. Where we can stop this attack is at all of the four preceding phases.

**Phase 1 (recon/bait end-user):**

CryptoLocker finds its targets like other attacks: phishing emails leading a user to a malicious download site and drive-by infections. CryptoLocker has been observed sending zipped PDF files which are actually just disguised .exe files.

[WildFire](https://www.paloaltonetworks.com/products/technologies/wildfire.html), as well as our anti-virus and anti-spyware, is able to look inside of zip files, and analyze unknown executables. Because we are not just looking at file name and hash value, variants of core versions are easily detected and blocked by policy. As new core versions are released, those versions are detonated within WildFire, identified as malware, and shared across our WildFire subscribers in less than an hour. Consider adding the WildFire subscription to your Palo Alto Networks next-generation firewall to ensure timely receipt of intelligence on new versions.

**Phases 2\&3 (exploit and download backdoor):**

Once the initial payload reaches your machine, it inserts a registry key which executes the encryption engine upon boot-up.

Palo Alto Networks threat research teams have several core versions of CryptoLocker identified already, named Trojan/Win32.crilock.\* in our signature base, and hold hundreds of other identified cryptological ransomware signatures as well.  
As new versions emerge, the first WildFire detection adds the new version to the 'known bad' and distributes that intelligence across our global install base. Setting WildFire policy to block will stop the payload as it attempts to traverse the firewall. URL filtering policies in combination with File Blocking policies (block all files from unknown domains) adds an additional layer of protection, keeping the payload from being delivered.

**Phase 4 (establish Command and Control):**

Before this attack encrypts, it communicates out to a command and control network to send the asymmetric key pair to be used to encrypt the data. This is the only way that the attackers can deliver on their promise of releasing your files once the ransom is paid.

Command and Control traffic (C2) is detected using the Spyware elements of our Threat Prevention. Setting this to block medium, high and critical severity spyware on outbound traffic will isolate this C2 call by CryptoLocker. Without encryption key delivery, the encryption process does not initiate. C2 signatures are part of WildFire's threat intelligence feedback loop, so new C2 patterns are constantly being updated.

Administrators can gain visibility over this C2 traffic using the Application Command Center (ACC) and sorting the Threat section by 'spyware phone home'.

**The Best Offense...**

CryptoLocker is a new iteration of ransomware, but should ultimately be treated like any other threat. All of the same best practices which we recommend such as SSL decryption/inspection, classification of all traffic, in-line enabled threat prevention and investigation of unknowns still very much apply.

As a final thought, patching, regular backups and user training/awareness programs are components of any good risk management strategy. These fundamentals can also be very effective in keeping CryptoLocker, or any ransomware, from affecting your organization.

*** ** * ** ***

## Related Blogs

### [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)

[#### UPDATED: Palo Alto Networks Protections Against WanaCrypt0r Ransomware Attacks](https://www.paloaltonetworks.com.au/blog/2018/01/palo-alto-networks-protections-wanacrypt0r-attacks/)

### [Customer Spotlight](https://www.paloaltonetworks.com/blog/category/customer-spotlight/?ts=markdown), [Real Estate](https://www.paloaltonetworks.com/blog/category/real-estate/?ts=markdown), [Retail](https://www.paloaltonetworks.com/blog/category/retail/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)

[#### Customer Spotlight: Delta Holding Prevents Ransomware by Upgrading Security Posture](https://www.paloaltonetworks.com.au/blog/2016/10/customer-spotlight-delta-holding-prevents-ransomware-upgrading-security-posture/)

### [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)

[#### Palo Alto Networks Protections Against Bad Rabbit Ransomware Attacks](https://www.paloaltonetworks.com.au/blog/2017/10/palo-alto-networks-protections-bad-rabbit-ransomware-attacks/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)

[#### Welcoming the APAC WildFire Cloud](https://www.paloaltonetworks.com.au/blog/2017/09/welcoming-apac-wildfire-cloud/)

### [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)

[#### Palo Alto Networks Protections for Petya Ransomware](https://www.paloaltonetworks.com.au/blog/2017/06/palo-alto-networks-protections-petya-ransomware/)

### [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown)

[#### Traps Protections Against WanaCrypt0r Ransomware Attacks](https://www.paloaltonetworks.com.au/blog/2017/05/traps-protections-wanacrypt0r-ransomware-attacks/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language