See how CryptoLocker Ransomware works, learn about prevention, cleanup and recovery

Like Us / Follow Us

Did you enjoy this article? Please share.CryptoLocker is new breed of Ransomware that once activated will encrypt your files, such as documents, spreadsheets and images with a public key rendering them unreadable. Not only will it do so on the computer, but will also try to find all files on the network. The infected computer will keep working, alas without the user files..

To decrypt the files you would need to have the private key which only the criminals have – and that’s where the ransom ware portion comes in. The Malware will ask you to send $300 inside 72 hours to obtain the private key. Of course that could mean you’d open yourself up to further extortion. Obviously, I cannot advise you on how likely it is that you will get your data back if you do decide to pay.

The criminals retain the only copy of the decryption key on their server – it is not saved on your computer. Suffice it to say, there is no way to unscramble your files without the private key.

What does CryptoLocker Look Like on Your Computer?

The malware can lay dormant on your computer for a while and AV programs with outdated definitions may not find it. Unfortunately, CryptoLocker only reveals itself after it has encrypted your files and those on the network. You’ll get this popup with a timer clicking down from 72 hours and instructions on how to send the money via MoneyPAK and Bitcoins.

CryptoLocker Splash Screen How does it spread?

CryptoLocker is not a self-replicating virus that can spread by itself. It uses two types of vectors. One is via bad emails sent for example to company email addresses that pretend to be customer support related issues from Fedex, UPS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM-2233.pdf.exe.

The other vector is via an already running bot on the computer. The bot then installs the new CryptoLocker payload.

It is important to realize, that malware generally runs with the same rights and permissions of the user account that is open. This means that the malware can encrypt any file that you can locate on your network with Windows Explorer with far-reaching effects. That includes USB drives, network file shares, and even cloud storage folders that are made to appear as a drive letters.

One reader commented that from a single infected computer, she was faced with 14,000 encrypted files spread over local and mapped network drives.

How do I clean up CryptoLocker?

CryptoLocker can be cleaned off your system. You could try the Microsoft Malicious Software removal tool, or use the free Sophos Virus Removal Tool (VRT). The latter tool does work alongside your reqular security tool. If CryptoLocker is running and has already popped up its payment demand page, you can still remove it and clean up, but the Virus Removal Tool cannot decrypt your scrambled files – the contents are unrecoverable without the key, so you may as well delete them.

How to restore files encrypted by CryptoLocker

As mentioned earlier in the article, files that have been encrypted cannot be decrypted without the private key. To recover previous versions of your file to need to rely on backups and your standard Disaster Recovery Systems. Analyzing the effects Cryptolocker can have on the data of a company, it has become important to review your backup plans in light of this new added threat.

If ShadowCopy is enabled on your computer, then it is possible to restore previous versions of the encrypted files. Though these previous versions will not be encrypted, they may also not be the latest version of the file. Please note that Shadow Volume Copies, and thus Previous Versions, are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8 and certain Microsoft Server environments.

Malware Prevention

Here are tips for keeping safe against malware in general, and cyber ransomware in particular:

  • Keep regular backups of your important files. Beware of simple cloudbackup that retain only the most recent version.
  • Use an anti-virus program, and keep it up to date. Beware, no antivirus software can guarantee that you will be 100% safe.
  • Keep your operating system and software up to date with patches.
  • Review the access control settings on any network shares you have, whether at home or at work.
  • Don’t give administrative privileges to your user accounts. Malware that runs as administrator can do much more damage, and be much harder to get rid of, than malware running as a regular user.

A good start on your road to security and safety is by creating a detailed network assessment. More about that at this link.

Johannes Banck,  CIO offered this advice: “The moral of the story is: always have backups, always update your software, and do not open e-mail attachments unless you know who sent it.

Comment Button for CryptoLocker malwareHave you been affected by CryptoLocker? Let us know your thoughts on this malware in the comments.

Summary
Article Name
See how CryptoLocker Ransomware works, learn about prevention, cleanup and recovery
Author
Description
This article will provide an overview over what the CryptoLocker Ransomware is, what it does, how to recover, and how to protect yourself.
Like Us / Follow Us

5 thoughts on “See how CryptoLocker Ransomware works, learn about prevention, cleanup and recovery

  1. Pingback: Mike D

  2. Great blog site. A great deal of tips in this article. CrtptoLocker is definitely scary. I am just giving this to a couple of close friends.

  3. Really cool post about malware and specifically cryptolocker ransomware, highly informative and professionally written. Good Job

  4. Pingback: How to prevent a CryptoLocker Ransomeware Virus attack

  5. Pingback: DattoBackup is Cryptolocker's Worst Enemy - IT Tech Support Blog CT

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>