CryptoLocker and Variants7 Oct, 2014
(October 2014) - To assist you with business continuity, PERRY proTech is sending important information on malware (that has attacked many businesses in our area /and elsewhere). This type of malware/ransomware has been an issue for over a year, and, while there have been successes in finding “how” this has been occurring, there has been no stopping it yet.
What is It?
Cryptolocker and variants are a class of malware known as ransomware. They infect Windows computers usually through email attachments. The emails appear to be from legitimate companies. The user is tricked into opening the attachment which infects the computer.
Once a machine has been infected, it will generate an encryption key, and sends that information to the hacker’s webserver. Then the program starts encrypting specific file types on local and network mapped drives. The files targeted include MS Word, Excel, PowerPoint, and PDF to name a few.
After the program has encrypted the files, it will display a message prompting the user to pay for the decryption key. It will also place a “how to decrypt.txt” or similarly named file in each directory where files were encrypted. The cost of the decryption key varies depending on the specific variant of the malware. In most cases, even if the ransom is paid, the decryption key is never sent.
The program does NOT replicate like a virus. Once the attachment has infected a machine, it typically will not infect additional machines even if the original file attachment is re-executed. Each instance of the malware attachment is unique, which is the primary reason that it is so difficult to catch with traditional anti-virus and anti-malware applications.
How to Protect Yourself
There are different ways an individual or an organization can handle the CryptoLocker threat. Since this threat starts as email carrying the malware as an attachment, its success depends on the lures used in the message to get the user to open the attachment.
Use safe computing practices when opening emails and file attachments, in general:
• Always check who the email sender is. If the email is supposedly coming from a bank, verify with your bank if the received message is legitimate. If from a personal contact, confirm if they sent the message. Do not rely solely on trust by virtue of relationship, as your friend or family member may be a victim of spammers as well.
• Double-check the content of the message. There are obvious factual errors or discrepancies that you can spot: a claim from a bank or a friend that they have received something from you? Try to go to your recently sent items to double-check their claim. Such spammed messages can also use other social engineering lures to persuade users to open the message.
• Refrain from clicking links in email. In general, clicking on links in email should be avoided. It is safer to visit any site mentioned in email directly.
• Always ensure your software is up-to-date. Currently there are no known CryptoLocker that exploits v ulnerabilities to spread, but it can’t be ruled out in the future. Regularly updating installed software p rovides another layer of security against many attacks, however.
• Backup important data. Unfortunately, in most cases, there is no way to decrypt the files encrypted by C ryptoLocker. One good safe computing practice is to ensure you have accurate back-ups of your files. What to do if you are infected.
• Isolate the computer. Disconnect the computer from all mapped network drives or completely disconnect the computer from the network. This will effectively stop the malware from encrypting files external to the computer itself.
• Remove the malware. Typically these types of malware are easily removed from a machine. The specific procedures vary depending on the specific variant. Contact PERRY proTECH for assistance.
• Restore files from backup. In most cases, the encrypted file are unrecoverable. Files should be restored from backup or from Volume Shadow copies if they exist.
If you need additional assistance, please call our help desk at 800.589.7360 or visit http://www.perryprotech.com