[5] In November 2013, the operators of CryptoLocker launched an online service that claimed to allow users to decrypt their files without the CryptoLocker program, and to purchase the decryption key after the deadline had expired; the process involved uploading an encrypted file to the site as a sample and waiting for the service to find a match; the site claimed that a match would be found within 24 hours.
[12][13] On 2 June 2014, the United States Department of Justice officially announced that over the previous weekend, Operation Tovar—a consortium constituting a group of law enforcement agencies (including the FBI and Interpol), security software vendors, and several universities, had disrupted the Gameover ZeuS botnet which had been used to distribute CryptoLocker and other malware.
The Department of Justice also publicly issued an indictment against the Russian hacker Evgeniy Bogachev for his alleged involvement in the botnet.
[6][14][15][16] As part of the operation, the Dutch security firm Fox-IT was able to procure the database of private keys used by CryptoLocker; in August 2014, Fox-IT and fellow firm FireEye introduced an online service which allows infected users to retrieve their private key by uploading a sample file, and then receive a decryption tool.
[7][13][22][23] Sophos security analyst Paul Ducklin speculated that CryptoLocker's online decryption service involved a dictionary attack against its own encryption using its database of keys, explaining the requirement to wait up to 24 hours to receive a result.
[13] In December 2013, ZDNet traced four bitcoin addresses posted by users who had been infected by CryptoLocker, in an attempt to gauge the operators' takings.
[24] Following the shutdown of the botnet that had been used to distribute CryptoLocker, it was calculated that about 1.3% of those infected had paid the ransom; many had been able to recover files which had been backed up, and others are believed to have lost huge amounts of data.
[29][30][28] In September 2014, further clones such as CryptoWall and TorrentLocker (whose payload identifies itself as "CryptoLocker", but is named for its use of a registry key named "Bit Torrent Application"),[31] began spreading in Australia; the ransomware uses infected e-mails, purportedly sent by government departments (e.g. Australia Post to indicate a failed parcel delivery) as a payload.
To evade detection by automatic e-mail scanners that can follow links, this variant was designed to require users to visit a web page and enter a CAPTCHA code before the payload is actually downloaded.