What is CryptoLocker?
CryptoLocker is a virus that encrypts your data files (word, powerpoint, pictures, music, videos, etc.). The nefarious individuals then hold your data for ransom and try to extort money from you.
What computers are at risk?
All computers using Windows XP 2, Vista, 7, 8 and 8.1. ( This includes any Apple or Linux based computers running Windows in a virtual environment like Bootcamp, Parallels or VMWare)
How does Cryptolocker get in?
It gets in through infected email attachments, in an email masquerading as an official communication – for example this one from Companies House, purporting to say that a complaint had been lodged with Companies House against the recipient of the email – using techniques of Social Engineering to fool the recipient into opening the infected attachment.
What happens then?
Once the attachment is opened the virus is activated. (It can also gain access through drive-by downloads from infected web sites.).
The virus then silently gets to work scanning and encrypting all photos, videos, word/excel documents, Zip files, PDF etc that it can find. For this it needs the computer to be left on. One user reports that the email contained these instructions:
“You MUST renew your email address in our system by opening the attached file, unzip the folder to your desktop then double click – this will automatically send a signal to us and may take several hours to process, so please leave your computer on during that time”
Once the encryption process is complete, the following dialog box is displayed:
At this point you are in deep trouble:
- The virus can be cleaned quite easily – but
- Your files are indeed encrypted and their contents are inaccessible
- Any directories you share on a network, on a server or with another PC are likely to be infected also
- If you have a backup drive or device attached to your computer in real-time, your backups may be compromised also
Ways of recovering:
- A full guide to Cryptolocker can be found at http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
- The encryption cannot be broken
- Your files cannot be unencrypted with any available virus recovery tools
- Your files can only be unencrypted by paying the ransom to obtain the decryption software.
- Currently the going rate for this is anything from $300 to $2,500
- Unfortunately people are paying (and getting their files back) which is just going to encourage more of this kind of criminality.
- The process of paying is not straightforward
- You can restore from “Cold Storage” backups – where the backup device has been disconnected from your PC
- You can restore from some online backup services – provided your backups have not been over-written by the encrypted files – Dropbox has a facility for restoring previous versions
- You may be able to use Shadow Explorer to recover previous versions of your files
- How I dealt with a case of Cryptolocker calmit.org/cryptolocker-case-history
How to avoid Cryptolocker
- Don’t open unrecognised emails with attachments, and show file extensions for known file types
- Use an email service such as Gmail – which pre-screens email attachments for viruses
- Inoculate your PC – Download and run the Cryptoprevent tool
- Make sure your files are properly backed up:
- Back up regularly to an External Hard Drive
- Keep a second External Hard drive in a different location (like your car) and swap the drives regularly (this can save your bacon if your computer and external drive are stolen, or destroyed by fire/flood etc)
- Also use an online backup service like Dropbox
- Don’t go to online porn sites, which are often the source of malware downloads.
- Take care when clicking on adverts; never open Twitter links and attachments from people you don’t know or trust.
- Do not download files from Torrenting services. These files are often bundled with malware infections.
Other Important Precautions
- Make sure your operating system is up-to-date with the latest security patches.
- Install the latest versions of your internet browsers and update add-ons such as Java and Adobe Flash.
- Install good virus protection such as – all the major antivirus programs will detect Cryptolocker but no virus protection is 100% foolproof.
Is this the Shape of Things to Come?
- Probably – yes. The fact that the virus-creators are making a lot of money from this will only encourage them
- This is going to hit people hard who don’t keep any backups or up-to-date backups
- This is going to force us all to take more care – just as we understand the risks of drinking and driving – we are going to have to get better at protecting ourselves.