"It systematically hunts down every one of your personal files—documents, databases, spreadsheets, photos, videos and music collections—and encrypts them with military-grade encryption, and only the crooks can open it," said Chester Wisniewski, a senior security advisor at Sophos.
(Read more: What to do when managing someone else's money)
Your computer, even though it's infected, keeps working normally; you just can't access any of your personal files. It's scary, especially if you haven't backed up your data.
"Cybercrime is evolving as the bad guys get smarter and use newer technologies," said Michael Kaiser, executive director of the National Cyber Security Alliance. "They're always looking for new ways to steal your money."
CryptoLocker is different from other types of "ransomware" that have been around for many years and that freeze your computer and demand payment. Those can usually be removed, restoring your access to files and documents.
But CryptoLocker encrypts your files. There's only one decryption key, and the bad guys have that on their server. Unless you pay the ransom within three days, that key will be destroyed. And as the message from the extortionists says, "After that, nobody and never will be able to restore files. …"
(Read more: New security threat: Cash register skimmers)
The typical extortion payment is $300 or 300 euros paid by Green Dot MoneyPak, or for the more tech-savvy, two bitcoins, currently worth about $400.
To instill a sense of urgency, a digital clock on the screen counts down from 72 hours so you can see how much time is left before that unique decryption key is destroyed.
One victim described his anguish in an online post: "The virus cleverly targeted … all of our family photos, including all photos of my children growing up over the last 8 years. I have a distraught wife who blames me!"
This sophisticated malware is delivered the old-fashioned way: an executable file hidden inside an attachment that looks like an ordinary ZIP file or PDF. One small business reports being compromised after clicking on an email attachment that was designed to look like a shipping invoice from the U.S. Postal Service.
Open that file and bad things start to happen, although it may take several days for the ransom demand to appear on your screen after the machine is infected.
"The author ... is a genius. Evil genius, but genius none the less," an IT professional commented in an online tech forum. Another wrote, "This thing is nasty and has the potential to do enormous amounts of damage worldwide."
(Read more: Scammers target utility customers)
Good anti-virus software can remove CryptoLocker from your computer but cannot undo the damage—the encryption is that good.
"It's the same type of encryption used in the commercial sector that's approved by the federal government," Wisniewski told me. "If the crooks delete that encryption key, your files are gone forever. Even the NSA can't bring them back."
Victims large and small
The cybercrooks are targeting both businesses and individual users—anyone who will pay to regain access to their files.
The CryptoLocker forum on BleepingComputer.com is filled with page after page of horror stories. Here is a small sample:
"When we discovered the infection from a user's workstation on the network, this program had encrypted over 180,000 files through the network shares in a period of 6 days. I pretty much shut down the business for 2 days after we realized what was happening."
"Our company was infected this morning. The virus hit a machine 4 days ago and today we got the pop up about the ransom. All files on the network drive the user had access to are now encrypted."
"We had a workstation get infected yesterday that encrypted everything on our network share drive. We had backups, although they weren't recent enough, so despite all feelings against it, we paid the ransom and everything started to decrypt overnight."