What is CryptoLocker? CryptoLocker malicious software basically holds your files for ransom. The software is typically spread through infected attachments to emails or as secondary infections on computers which are already affected by the virus. The virus enters your system through the opening of attachments. It then starts to encrypt your files. Once they are encrypted a pop up will display a request for funds in exchange for the decryption codes. You will also be provided a countdown clock showing the timeline before files are destroyed. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.
Who should be concerned? The program has been targeting all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8 since September 2013. Now the threat has spread to android phone users as well. There have been multiple attacks when users are asked to open and attachment in form of a email with a link to Dropbox or Google Docs file. Mac computers are not affected. Here are some of the more common approaches:
|USPS – Your package is available for pickup ( Parcel 173145820507 )||USPS – Missed package delivery (“USPS Express Services” <email@example.com>)|
|USPS – Missed package delivery||FW: Invoice <random number>|
|ADP payroll: Account Charge Alert||ACH Notification (“ADP Payroll” <*@adp.com>)|
|ADP Reference #09903824430||Payroll Received by Intuit|
|Important – attached form||FW: Last Month Remit|
|McAfee Always On Protection Reactivation||Scanned Image from a Xerox WorkCentre|
|Scan from a Xerox WorkCentre||scanned from Xerox|
|Annual Form – Authorization to Use Privately Owned Vehicle on State Business||Fwd: IMG01041_6706015_m.zip|
|My resume||New Voicemail Message|
|Voice Message from Unknown (675-685-3476)||Voice Message from Unknown Caller (344-846-4458)|
|Important – New Outlook Settings||Scan Data|
|FW: Payment Advice – Advice Ref:[GB293037313703] / ACH credits / Customer Ref:[pay run 14/11/13]||Payment Advice – Advice Ref:[GB2198767]|
|New contract agreement.||Important Notice – Incoming Money Transfer|
|Notice of underreported income||Notice of unreported income – Last months reports|
|Payment Overdue – Please respond||FW: Check copy|
|Corporate eFax message from “random phone #” – 8 pages (random phone # & number of pages)||past due invoices|
|FW: Case FH74D23GST58NQS||Symantec Endpoint Protection: Important System Update – requires immediate action|
What should you do when you discover your computer is infected with CryptoLocker? When you discover that a computer is infected with CryptoLocker, the first thing you should do is disconnect it from your wireless or wired network. This will prevent it from further encrypting any files. Some people have reported that once the network connection is disconnected, it will display the CryptoLocker screen. It is not advised that you remove the infection from the %AppData% folder until you decide if you want to pay the ransom. If you do not need to pay the ransom, simply delete the Registry values and files and the program will not load anymore. You can then restore your data via other methods. It is important to note that the CryptoLocker infection spawns two processes of itself. If you only terminate one process, the other process will automatically launch the second one again.
Is it possible to decrypt files encrypted by CryptoLocker? Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup or Shadow Volume Copies if you have System Restore enabled. Newer variants of CryptoLocker attempt to delete the Shadow Copies, but it is not always successful.
If you don’t pay ransom, will all data be lost? Yes, conducting regular backups is your greatest defense against all threats to your system. It allows for the cleaning of the system and retrieval of your files. If you were not keeping backups, learn from you mistake.
Can anti-virus software remove Cryptolocker and save my data? Good anti-virus software should be able to detect and remove Cryptolocker. However, Anti-virus software cannot unscramble your data. Removing Cryptolocker is not the same thing as decrypting your data files. Protect your computer from becoming infected by keeping up to date with antivirus and security patches. Be cautious of opening unsolicited email attachments or clicking unknown links.
- Consider setting a software restriction policy on your Windows PC that will prevent the running to certain location on your hard drive.
- Make backups of your important data and keep them separate from your computer. That way, if it does happen, you can restore your valuable data
Will paying the ransom actually decrypt your files? It has been stated that paying the ransom does send a decryption code. However, this is not expedited. The criminals first verify that payment has been secured before the code is provided. Once the decryption process is started it still takes several hours, this is costly with the loss of productivity during the progression. Be warned, that there have been some reports that the decryption process may give an error stating that it can’t decrypt a particular file. At this point we have no information as how to resolve this. Remember cybercriminals aren’t exactly the most trustworthy group of people. Contact us today for IT consulting, service and support on Cryptolocker Original articles include: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#ransom http://www.theguardian.com/technology/2014/jun/03/cryptolocker-what-you-need-to-know.
If you fall into the CrytoLocker trap or just want to learn more about how to protect you and your business, feel free to contact Altitude Unlimited Advanced Technology Solutions. At Altitude Unlimited, we have network security consultants ready to help you navigate issues around anti-virus protection, distributed denial of service (DDos), data leak prevention (DLP) and other network security issues.
Our team can perform penetration testing among other security analyze solutions and help you to fully protect your business assets such as customer lists, credit card information and personnel information.