CryptoLocker is new breed of Ransomware that once activated will encrypt your files, such as documents, spreadsheets and images with a public key rendering them unreadable. Not only will it do so on the computer, but will also try to find all files on the network. The infected computer will keep working, alas without the user files..
To decrypt the files you would need to have the private key which only the criminals have – and that’s where the ransom ware portion comes in. The Malware will ask you to send $300 inside 72 hours to obtain the private key. Of course that could mean you’d open yourself up to further extortion. Obviously, I cannot advise you on how likely it is that you will get your data back if you do decide to pay.
The criminals retain the only copy of the decryption key on their server – it is not saved on your computer. Suffice it to say, there is no way to unscramble your files without the private key.
What does CryptoLocker Look Like on Your Computer?
The malware can lay dormant on your computer for a while and AV programs with outdated definitions may not find it. Unfortunately, CryptoLocker only reveals itself after it has encrypted your files and those on the network. You’ll get this popup with a timer clicking down from 72 hours and instructions on how to send the money via MoneyPAK and Bitcoins.
How does it spread?
CryptoLocker is not a self-replicating virus that can spread by itself. It uses two types of vectors. One is via bad emails sent for example to company email addresses that pretend to be customer support related issues from Fedex, UPS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM-2233.pdf.exe.
The other vector is via an already running bot on the computer. The bot then installs the new CryptoLocker payload.
It is important to realize, that malware generally runs with the same rights and permissions of the user account that is open. This means that the malware can encrypt any file that you can locate on your network with Windows Explorer with far-reaching effects. That includes USB drives, network file shares, and even cloud storage folders that are made to appear as a drive letters.
One reader commented that from a single infected computer, she was faced with 14,000 encrypted files spread over local and mapped network drives.
How do I clean up CryptoLocker?
CryptoLocker can be cleaned off your system. You could try the Microsoft Malicious Software removal tool, or use the free Sophos Virus Removal Tool (VRT). The latter tool does work alongside your reqular security tool. If CryptoLocker is running and has already popped up its payment demand page, you can still remove it and clean up, but the Virus Removal Tool cannot decrypt your scrambled files – the contents are unrecoverable without the key, so you may as well delete them.
How to restore files encrypted by CryptoLocker
As mentioned earlier in the article, files that have been encrypted cannot be decrypted without the private key. To recover previous versions of your file to need to rely on backups and your standard Disaster Recovery Systems. Analyzing the effects Cryptolocker can have on the data of a company, it has become important to review your backup plans in light of this new added threat.
If ShadowCopy is enabled on your computer, then it is possible to restore previous versions of the encrypted files. Though these previous versions will not be encrypted, they may also not be the latest version of the file. Please note that Shadow Volume Copies, and thus Previous Versions, are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8 and certain Microsoft Server environments.
Here are tips for keeping safe against malware in general, and cyber ransomware in particular:
- Keep regular backups of your important files. Beware of simple cloudbackup that retain only the most recent version.
- Use an anti-virus program, and keep it up to date. Beware, no antivirus software can guarantee that you will be 100% safe.
- Keep your operating system and software up to date with patches.
- Review the access control settings on any network shares you have, whether at home or at work.
- Don’t give administrative privileges to your user accounts. Malware that runs as administrator can do much more damage, and be much harder to get rid of, than malware running as a regular user.
A good start on your road to security and safety is by creating a detailed network assessment. More about that at this link.
Johannes Banck, CIO offered this advice: “The moral of the story is: always have backups, always update your software, and do not open e-mail attachments unless you know who sent it.”
Have you been affected by CryptoLocker? Let us know your thoughts on this malware in the comments.