Cryptolocker – whatever you do, don’t pay!

Fiendish CryptoLocker ransomware: Whatever you do, don’t PAY – The Reg

A fiendishly nasty strain of Windows malware that uses advanced encryption to lock up user files before demanding a ransom is doing the rounds.

CryptoLocker, which first surfaced early last month, leaves users in danger of losing important files forever unless they pay up. Typically the crooks relieve them of around $300 (£185).

More recently CryptoLocker has been spreading as a secondary infection through the infamous ZeuS botnet. If successful, CryptoLocker will encrypt users’ files using asymmetric encryption, featuring a public and private key pair. The public key is used to encrypt and verify data, while the private key is used for decryption.

Sadly, you don’t want to give them your credit or debit card information or any means of payment really. These are the bad guys for Pete’s sake.

The article, on the 2nd page, says:

“In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain ‘shadow copies’ of files,” according to an advisory by anti-virus firm Malwarebytes.

As the article notes, Sophos who has received a lot of encrypted files, hoping that the files can be decrypted:

“But as far as we can see, there’s no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble.”

If you have encrypted your own data and know the keys, that’s good news. But if a bad guy encrypts your data, and they hold the keys, that’s a really bad.

Bottom line from the article:

Security experts agree that regular data backups are the best safeguard against potential calamity in the face of the threat.

The best you can do safely is to prevent this malicious ransomware from getting to your data.

From what I understand, this ransomware will encrypt data on any drive letter available to it on the computer and it can be detected over the local network.

Backup frequently. Remove your backup drive after backups.  Create a hard drive image and system repair disk in Windows. Make sure you have an image of your hard drive on the Mac as well and have backups but not connected between backups, so you don’t have to worry about this ransomeware.

Below is the best guide/faq for CryptoLocker Ransomware by Grinler (must be logged in to see his profile but his articles are available to the public):

CryptoLocker Ransomware Information Guide and FAQ by Lawrence Abrams at BleepingComputer

There is even a way to protect yourself in the guide/faq in #15 (in bold below).

Table of Contents

  1. The purpose of this guide
  2. What is CryptoLocker
  3. What should you do when you discover your computer is infected with CryptoLocker
  4. Is it possible to decrypt files encrypted by CryptoLocker?
  5. Will paying the ransom actually decrypt your files?
  6. Known Bitcoin Payment addresses for CryptoLocker
  7. CryptoLocker and Network Shares
  8. What to do if your anti-virus software deleted the infection files and you want to pay the ransom!
  9. How to increase the time you have to pay the ransom
  10. Is there a way to contact the virus author?
  11. How to restore files encrypted by CryptoLocker using Shadow Volume Copies
  12. How do you become infected with CryptoLocker
  13. How to generate a list of files that have been encrypted
  14. How to determine which computer is infected with CryptoLocker on a network
  15. How to prevent your computer from becoming infected by CryptoLocker
  16. How to allow specific applications to run when using Software Restriction Policies
  17. How to be notified by email when a Software Restriction Policy is triggered

For the most part, from my reading, or maybe completely, this appears to be a Windows only problem at the moment.

But it is always good to be prepared in case it makes a move on Macs too.

Advertisements

The ‘ole Conficker worm still infecting PCs years later

‘Obstinate’ Conficker worm infests millions of PCs years later
By Gregg Keizer, Computerworld

Suppressed botnet has 7M Windows machines in its grip three years after it first appeared

And Mac users thought they had it bad with their Flashback, which is not good, so don’t get me wrong here. But Apple should be watching closely situations like Conficker worm/botnet. What’s that old saying? But by the grace of God go I? or something like that.

Of course this is one of the most widespread botnets to hit Windows PCs, but still, it’s only one of many that are out there for PCs. And although Microsoft made similar mistakes as Apple in regard to malware/viruses/botnets initially, they made up for it in time. They even put out their own antivirus/antimalware program – Microsoft Security Essentials for free to home users to help protect their users. But even with their experience with these things for many years and learning from their mistakes, there is this…

Concern about Conficker reached a crescendo when the mainstream media, including major television networks, reported that the worm would update itself on April 1, 2009. Because of the size of the Conficker botnet — estimates ran as high as 12 million at that point — and other mysteries, hype ran at fever pitch.

It also urged all Windows users to ensure they have applied the pertinent patch — MS08-067 — and for Windows XP and Vista machines, the March update that disables AutoRun.

Much more in the 2 page article.