**Overview:** CryptoLocker was one of the first major ransomware families to achieve widespread notoriety, emerging in late 2013 and operating primarily with financial motivations through sophisticated encryption and payment demands. The group pioneered many techniques that became standard in the ransomware ecosystem, including the use of strong encryption and anonymous payment methods.
**Origin & Affiliation:** CryptoLocker is believed to have originated from Eastern European cybercriminal groups, though specific attribution remains unclear. The operation appeared to function as an independent criminal enterprise rather than a ransomware-as-a-service model, with the core group maintaining direct control over the malware distribution and payment infrastructure.
**Attack Methodology:** CryptoLocker primarily gained initial access through email-based phishing campaigns containing malicious attachments, often disguised as legitimate business documents or shipping notifications. The malware employed strong RSA-2048 encryption to lock victim files and demanded payment in Bitcoin, representing an early adoption of cryptocurrency for ransom payments. Unlike modern ransomware groups, CryptoLocker did not typically exfiltrate data before encryption, focusing solely on file encryption for extortion.
**Notable Campaigns:** The group's most significant impact occurred between 2013 and 2014, when it infected an estimated 500,000 computers worldwide and generated millions of dollars in ransom payments. Law enforcement action through Operation Tovar in 2014 successfully disrupted the Gameover Zeus botnet infrastructure that CryptoLocker relied upon for distribution, leading to the recovery of encryption keys for many victims.
**Current Status:** The original CryptoLocker operation was effectively dismantled by law enforcement actions in 2014, though the name and techniques have been adopted by various copycat groups in subsequent years. The group has been linked to 8 public disclosures across our corpus. First observed on a leak site on November 6, 2013; most recent post April 28, 2019. The operation is currently inactive.
Sector and geography
This disclosure adds to ransomware activity in the Critical Manufacturing sector, which has 55 disclosures indexed across all operators we track. Geographically, Langs Building Supplies (Queensland) is reported in Australia, a country with 368 ransomware disclosures in our corpus.
How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.
