How much did CryptoLocker make?

CryptoLocker was one of the most infamous and damaging ransomware attacks in history. At its peak in 2013 and 2014, this aggressive strain of ransomware infected over 500,000 computers across the globe and extorted millions of dollars from victims. But how much money did the creators of CryptoLocker actually make from their criminal enterprise? Let’s take a closer look at the numbers behind one of the most profitable malware operations ever seen.

The Rise of CryptoLocker

CryptoLocker first appeared in September 2013 and spread rapidly through spam email campaigns and exploit kits. The ransomware used advanced RSA public key cryptography to encrypt files on infected Windows computers. Victims would see their documents, photos, videos and other personal files locked with strong encryption.

A ransom payment was demanded in Bitcoin to receive the decryption key. If the ransom wasn’t paid within 72 hours or 3 days, the decryption key would be destroyed and files would be lost forever.

CryptoLocker’s encryption was so strong that security experts considered infected files beyond recovery without the decryption key. This left many victims with no choice but to pay the ransom to get their files back.

At the time, ransomware was a relatively new cyber threat. CryptoLocker was one of the first ransomware strains to combine strongest encryption with a robust business model that relied on Bitcoin payments. This allowed the ransomware creators to rapidly scal

The initial version of CryptoLocker successfully infected over 500,000 computers before it was shut down in May 2014 through international law enforcement operations. However, variants of CryptoLocker continued to spread for years after.

Estimated Profits from CryptoLocker

So how much money did the masterminds behind CryptoLocker make from ransom payments? While the exact figure is unknown, researchers have made estimates based on Bitcoin wallet addresses and transactions linked to CryptoLocker:

  • In November 2013, just 2 months after first appearing, CryptoLocker had already extorted over $27 million in ransom payments, according to reports at the time.
  • By early May 2014, total ransom payments were estimated between $3 million and $27 million.
  • In June 2014, the Cyber Threat Alliance estimated that over 500,000 computers were infected and CryptoLocker had made between $3 million and $30 million in extortion.
  • Dell SecureWorks analyzed Bitcoin wallets linked to CryptoLocker and estimated total ransom payments of $30 million by the time the initial threat was shut down in May 2014.

So most estimates put the profits from the initial CryptoLocker campaign between $3 million and $30 million over 8 months of operation.

Variants and Continued Infections

Though the original CryptoLocker botnet was disrupted in 2014, new variants and copycats continued to spread for years:

  • Researchers discovered CryptoLocker 2.0 in early 2015, with improvements to its encryption and ransom process. This version extorted an estimated $2.1 million before it was shut down.
  • In 2016 and 2017, the CryptoLocker variants CryptoBlocker and Zeta ransomed over $2 million from victims.
  • New CryptoLocker strains and rebranded ransomware like Petya continued to infect thousands of computers each month throughout 2016 and 2017.

While these later variants were not as successful as the original CryptoLocker campaign, they likely extorted several million more dollars from victims.

Cost to Victims

CryptoLocker didn’t just cost individual victims. The ransomware also inflicted significant costs on businesses and government organizations:

  • The Swansea, Massachusetts police department was infected with CryptoLocker in 2013, forcing them to pay a $750 ransom to unlock case files.
  • A police department in Tennessee paid over $1,000 in Bitcoin to decrypt their database after a CryptoLocker infection.
  • Australian couriers TNT Express were hit by CryptoLocker in 2017, with over 4,000 devices infected across 2,000 locations. This major business disruption reportedly cost FedEx (who acquired TNT) $400 million.

These examples illustrate how a single ransomware infection could cripple an organization’s operations for days or weeks. When factoring in downtime, recovery costs, and reputational damage, the true cost of CryptoLocker to businesses likely reaches into the billions.

Breakdown of CryptoLocker’s Earnings

Based on figures from security researchers, here is an estimate of the earnings from CryptoLocker ransom payments:

Time Period Estimated Revenue
Sep 2013 – Nov 2013 $27 million
Nov 2013 – May 2014 $3 million – $30 million
CryptoLocker 2.0 $2.1 million
Later variants through 2017 $2 million – $10 million

That puts total earnings from CryptoLocker variants at around $35 – $70 million over a 4 year period.

This analysis only covers direct ransom payments. The true cost of CryptoLocker to society, including recovery costs, could be in the range of billions when you account for downtime and damage across individual users, businesses, and government systems.

CryptoLocker Infrastructure

To effectively collect millions in ransom payments, the CryptoLocker operators built an extensive criminal infrastructure:

  • Sophisticated botnet to spread infections – CryptoLocker relied on the Gameover ZeuS botnet infrastructure to send spam and conduct attacks.
  • Command and control servers – Encrypted C&C servers gave the hackers remote access to infected computers for delivering encryption keys after payment.
  • Money laundering network – The group funneled Bitcoin ransom payments through mixing services to obscure transactions.
  • Affiliate program – CryptoLocker creators recruited “affiliates” who spread the ransomware for a cut of the profits.

This complex backend allowed the creators to infect hundreds of thousands of computers in a short period, handle ransom payments efficiently, and evade authorities for months.

Gameover ZeuS Botnet

CryptoLocker was distributed through the infamous Gameover ZeuS botnet, which authorities took control of in June 2014.

Gameover ZeuS infected up to 1 million computers and sent spam, conducted denial of service attacks, and spread other malware. The botnet had a sophisticated peer-to-peer infrastructure that was resilient against takedowns.

CryptoLocker operators paid to install their ransomware code on the Gameover ZeuS botnet. This allowed them to quickly infect hundreds of thousands of computers.

Money Laundering

To cash out their Bitcoin ransom payments, the CryptoLocker creators used online money laundering services to obscure transactions:

  • They used “bitcoin tumblers” like CryptoCapital, which mixed ransoms with other funds to hide the money trail.
  • Much of the Bitcoin was converted to cash through online exchanges like BTC-e.
  • Mules were used to collect extorted money that had entered the traditional banking system.

This laundering infrastructure made it very difficult for law enforcement to track ransom payments. It helped CryptoLocker prosper for months.

Shutdown of Original CryptoLocker

CryptoLocker’s reign ended in May 2014 when a major international law enforcement operation dismantled the Gameover ZeuS botnet that spread the ransomware.

Operation Tovar was a joint effort between security companies and law enforcement from several countries:

  • Microsoft led detection efforts that identified the botnet’s infrastructure.
  • Authorities from the FBI, Europol, and other agencies infiltrated the botnet’s servers.
  • In early June 2014, they seized domain names and servers that controlled the Gameover ZeuS botnet.

With the botnet disabled, the original CryptoLocker strain was effectively shut down. While new variants later emerged, they did not match the scale of the initial campaign.

Authorities in several countries conducted follow-up investigations and arrested suspects involved with CryptoLocker over the following years. But the masterminds behind the original operation were never positively identified.

Legacy of CryptoLocker

Though the original CryptoLocker botnet was eventually disrupted, the ransomware had a lasting impact on cybersecurity:

  • Demonstrated profit potential of ransomware – CryptoLocker earned millions and inspired copycats seeking similar profits.
  • Proved efficacy of ransomware-as-a-service – The affiliate program model is still used by ransomware groups today.
  • Made ransomware a top threat – High profile attacks led to ransomware being taken more seriously by businesses and authorities.
  • Increased focus on backups – The inability to recover encrypted files without paying ransom made backups a higher priority.

CryptoLocker was a true threat that reshaped the cybercrime landscape. Its success inspired increased ransomware attacks that continue today. The model of delivering ransomware via an exploit toolkit and botnet was later copied by other syndicates.

CryptoLocker proved the effectiveness of ransomware and affiliate programs for monetizing malware. This spawned many successive ransomware families that have become top cybersecurity threats.

Recent Ransomware Activity

In the years since CryptoLocker’s takedown, ransomware has exploded as one of the most common and damaging cyber attacks. A few notable developments:

  • Ransomware grew exponentially, with estimates of thousands of strains and millions of annual attacks.
  • High profile ransomware incidents crippled businesses and infrastructure, including NotPetya, WannaCry and Ryuk.
  • Ransom amounts demanded from businesses increased into the hundreds of thousands or millions.
  • Sophisticated affiliate programs emerged to deliver ransomware for a cut of profits.
  • Ransomware developers began auctioning off access to compromised networks.

Ransomware is now one of the top threats in cybersecurity. But CryptoLocker demonstrated the profitable potential of ransomware years earlier.

Defense Against Modern Ransomware

While today’s ransomware landscape has evolved, some of CryptoLocker’s traits remain:

  • Continued use of robust encryption algorithms to lock files.
  • Ongoing reliance on hard-to-trace cryptocurrency for ransom payments.
  • Constant development of ransomware delivery methods.

To defend against current ransomware threats, organizations should follow cybersecurity best practices:

  • Maintain updated backups – Having clean backups makes recovery possible without paying ransom.
  • Educate staff – Training staff to identify potential ransomware attacks is crucial.
  • Keep software updated – Patching known exploits can prevent infection vectors.
  • Use anti-malware tools – Endpoint detection & response software can block and isolate ransomware.
  • Segment networks – Limiting access controls can prevent lateral ransomware spread.
  • Have an incident response plan – Having a plan to quickly contain, eradicate and recover from ransomware is essential.

Applying security in layers is key to mitigating the ongoing threat of ransomware.


CryptoLocker was an innovative ransomware operation that generated millions in cryptocurrency profits through extortion. While the original botnet was eventually disrupted, CryptoLocker demonstrated that ransomware could be highly profitable for cyber criminals.

It fueled waves of copycat ransomware that continue to this day. CryptoLocker was a criminal enterprise that permanently changed the threat landscape. Its legacy endures through the ransomware epidemic that organizations still struggle to defend against.