Cryptolocker – whatever you do, don’t pay!

Fiendish CryptoLocker ransomware: Whatever you do, don’t PAY – The Reg

A fiendishly nasty strain of Windows malware that uses advanced encryption to lock up user files before demanding a ransom is doing the rounds.

CryptoLocker, which first surfaced early last month, leaves users in danger of losing important files forever unless they pay up. Typically the crooks relieve them of around $300 (£185).

More recently CryptoLocker has been spreading as a secondary infection through the infamous ZeuS botnet. If successful, CryptoLocker will encrypt users’ files using asymmetric encryption, featuring a public and private key pair. The public key is used to encrypt and verify data, while the private key is used for decryption.

Sadly, you don’t want to give them your credit or debit card information or any means of payment really. These are the bad guys for Pete’s sake.

The article, on the 2nd page, says:

“In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain ‘shadow copies’ of files,” according to an advisory by anti-virus firm Malwarebytes.

As the article notes, Sophos who has received a lot of encrypted files, hoping that the files can be decrypted:

“But as far as we can see, there’s no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble.”

If you have encrypted your own data and know the keys, that’s good news. But if a bad guy encrypts your data, and they hold the keys, that’s a really bad.

Bottom line from the article:

Security experts agree that regular data backups are the best safeguard against potential calamity in the face of the threat.

The best you can do safely is to prevent this malicious ransomware from getting to your data.

From what I understand, this ransomware will encrypt data on any drive letter available to it on the computer and it can be detected over the local network.

Backup frequently. Remove your backup drive after backups.  Create a hard drive image and system repair disk in Windows. Make sure you have an image of your hard drive on the Mac as well and have backups but not connected between backups, so you don’t have to worry about this ransomeware.

Below is the best guide/faq for CryptoLocker Ransomware by Grinler (must be logged in to see his profile but his articles are available to the public):

CryptoLocker Ransomware Information Guide and FAQ by Lawrence Abrams at BleepingComputer

There is even a way to protect yourself in the guide/faq in #15 (in bold below).

Table of Contents

  1. The purpose of this guide
  2. What is CryptoLocker
  3. What should you do when you discover your computer is infected with CryptoLocker
  4. Is it possible to decrypt files encrypted by CryptoLocker?
  5. Will paying the ransom actually decrypt your files?
  6. Known Bitcoin Payment addresses for CryptoLocker
  7. CryptoLocker and Network Shares
  8. What to do if your anti-virus software deleted the infection files and you want to pay the ransom!
  9. How to increase the time you have to pay the ransom
  10. Is there a way to contact the virus author?
  11. How to restore files encrypted by CryptoLocker using Shadow Volume Copies
  12. How do you become infected with CryptoLocker
  13. How to generate a list of files that have been encrypted
  14. How to determine which computer is infected with CryptoLocker on a network
  15. How to prevent your computer from becoming infected by CryptoLocker
  16. How to allow specific applications to run when using Software Restriction Policies
  17. How to be notified by email when a Software Restriction Policy is triggered

For the most part, from my reading, or maybe completely, this appears to be a Windows only problem at the moment.

But it is always good to be prepared in case it makes a move on Macs too.

Advertisements