What is CryptoLocker?
We have seen two cases of this new ‘ransomware virus’ in the valley in the last 30 days – please make note!
CryptoLocker is a ransomware program that was released around the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.
What should you do when you discover your computer is infected with CryptoLocker?
When you discover that a computer is infected with CryptoLocker, the first thing you should do is disconnect it from your wireless or wired network and shut it down. This will prevent it from further encrypting any files. Some people have reported that once the network connection is stopped, it will display the CryptoLocker screen (shown above). Then you should get it into the shop ASAP to grab any files that have not already been affected, before they become encrypted and you lose them!
Is it possible to save files encrypted by CryptoLocker?
Unfortunately at this time there is no way to decrypt your files without paying the ransom. Brute forcing the decryption key is not realistic due to the length of time required. Also decryption tools available do not work with this infection. The only method you have of restoring your files is from a backup or Shadow Volume Copies if you have System Restore enabled. Newer variants of CryptoLocker attempt to delete the Shadow Copies, but it is not always successful.
How do you become infected with CryptoLocker?
This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them. There have also been reports of contracting this infection from a webpage.
Known CryptoLocker email subjects include:
| USPS – Your package is available for pickup ( Parcel 173145820507 ) |
USPS – Missed package delivery (“USPS Express Services” <service-notification@usps.com>) |
| USPS – Missed package delivery | FW: Invoice <random number> |
| ADP payroll: Account Charge Alert | ACH Notification (“ADP Payroll” <*@adp.com>) |
| ADP Reference #09903824430 | Payroll Received by Intuit |
| Important – attached form | FW: Last Month Remit |
| McAfee Always On Protection Reactivation | Scanned Image from a Xerox WorkCentre |
| Scan from a Xerox WorkCentre | scanned from Xerox |
| Annual Form – Authorization to Use Privately Owned Vehicle on State Business | Fwd: IMG01041_6706015_m.zip |
| My resume | New Voicemail Message |
| Voice Message from Unknown (675-685-3476) | Voice Message from Unknown Caller (344-846-4458) |
| Important – New Outlook Settings | Scan Data |
| FW: Payment Advice – Advice Ref:[GB293037313703] / ACH credits / Customer Ref:[pay run 14/11/13] | Payment Advice – Advice Ref:[GB2198767] |
| New contract agreement. | Important Notice – Incoming Money Transfer |
| Notice of underreported income | Notice of unreported income – Last months reports |
| Payment Overdue – Please respond | FW: Check copy |
| Payroll Invoice | USBANK |
| Corporate eFax message from “random phone #” – 8 pages (random phone # & number of pages) | past due invoices |
| FW: Case FH74D23GST58NQS | Symantec Endpoint Protection: Important System Update – requires immediate action |
How to prevent your computer from becoming infected by CryptoLocker.
As always, don’t open e-mail attachments from anyone you don’t know, or from those you do know who don’t typically send you such things. Don’t visit websites you’re not sure about. Don’t click on pop-ups or ads on websites you know nothing about. Keep your anti-virus up-to-date. Install your Windows Updates, Acrobat Reader Updates, Java Updates, Flash Player Updates, etc. These actually need to be updated because there are security holes in those programs that the updates will block, helping keep you from getting infected.
Most Antivirus Programs cannot stop CryptoLocker – and once you have it the only way to get your files is to pay the ransom.
Prevention is key!
The easiest, most user-friendly way we have found to prevent an encryption attack is CryptoGuard. This software monitors the file system for suspicious file operations (CryptoGuard is a driver, installed by HitmanPro.Alert). When suspicious behavior is detected, the malicious code is blocked (write, delete, rename is revoked) and an Alert is presented to the user. So even while ransomware is active, it can’t harm your files.
This prevention tool is still in Beta, but can be downloaded from its developer in the Netherlands here. Click the orange ‘Download Beta’ button, save the file, double-click – and follow onscreen instructions.