There is a new Virus threat spreading quickly across the Internet currently that is particularly wicked. It’s called CryptoLocker. I am writing this because I think there is some chance you could be at risk, either with your home PC or work computers. We had five people call us infected on the first day the virus was out. Please take a minute and read through this to the end where I suggest what you can do to help prevent getting infected.
The virus’s design has made it so that even current Antivirus products running in your firewall and antivirus software on your PCs aren’t detecting it until it’s too late, if at all. The antivirus companies are trying to respond, but the virus ‘morphs’ each time it replicates, so its slippery for them to detect and block or quarantine.
What does it do?
In short, the virus is a form of Ransomware. Once it gets into your PC, it ‘encrypts’ all your personal files and data, and then holds your data hostage for ransom. In this case they want $300 to provide you with the unlock code to decrypt your files and remove their application.
Here is what the message will look like once it’s too late:
To motivate the affected user to quick action, they only give you 72 hours to act, then the data is lost forever.
Its design is such that if your IT person then tries to remove it, this will leave your files encrypted forever.
It gets worse. If your PC has external media like USB hard drives and USB keys attached, it encrypts those too. Imagine if your Backup drive was attached, it would be encrypted and unusable to restore your data from before the attack. Even worse, if your infected PC is connected to a network and you have connections to a Server, it reaches out and encrypts the data on the Server too. If you use a Cloud based storage like Dropbox or Google Drive, it will encrypt the data within those folders as well. If you use Internet Backup, the backup will pick up copies of the encrypted files. A giant mess.
What can you do if it happens to you?
If you get hit by this virus – make a note of the time you have left (in the 72 hours) and then SHUT OFF THE PC entirely! The longer it remains on, the more time it has to search and encrypt more files. It might be prudent to disconnect the network cable too if you are connected to an office network. Contact your IT person immediately for their assistance in recovery.
Our experiences so far indicate there is no way to simply clean it and recover like other spyware or viruses. If you have a backup that is safe somewhere (not connected to the infected PC), this is your best option for recovery, but don’t try to recover data to a machine infected with CryptoLocker, it will just destroy that precious backup. Backups come in many forms, so I can’t tell you exactly how to best use it, but your IT person can. Its highly likely that you will need to reinstall Windows to your PC, and then restore your data to this Clean PC (huge hassle). If your Server’s data got infected, you’ll need to restore that data as well.
Your very, very last option is to pay the ransom. In most Ransomware attacks, paying the ransom does not unlock your data (why would they). We have seen reports that people paying the ransom in this particular case has been unlocking the data as indicated. You are paying criminals, who will just use that money to do more evil things. Think hard about this before you consider it. Might it be better to lose the data you ‘sort of need but could reconstruct’ than to propagate this issue and reward a criminal.
How it’s getting in
I can’t tell you for certain how it’s been getting in (which is troubling). With its ability to slip through the Antivirus filters it comes down to there is no defense (yet) other than you using your smarts. Reports to date seem to indicate it gets in using one of two methods:
- As an attachment to an email message. Typically something claiming to be a shipping notice or receipt for your review. A common lure to get you to try and open the attachment to see what it is, and if you open that attachment the virus sets in. /li>
- If your computer is already infected with some mild spyware (pop ups, other nuisances) they have found a way to exploit the Spyware’s communication methods to slip in and get started that way. This doesn’t need a user’s interaction, and is crazy scary.
To Defend Yourself:
- Don’t open attachments that come with emails unless you are 100% certain to the validity of the attached file. Meaning you should know who is sending it to you, why they are sending it, and you should have been expecting it. Even an emailed attachment from someone you know could be a cleverly disguised virus, so be SURE before you open it. You can always pick up the phone and contact that person to be sure they sent you something. YOU CAN’T rely on your antivirus software to defend you at the moment. You have to use your own smarts and avoid things that will trigger it.
- If you suspect that your PC has Spyware in any other way (acting weird, slow, pop-ups) contact your IT person to address this immediately. When in doubt, turn off the PC until your IT person evaluates it.
- Keep your Antivirus program up to date on a daily (or more frequent) basis. (If you are an MME client running Symantec Endpoint Protection, this happens automatically several times per day without your interaction needed.)
Basically, responsible surfing is the best defense.
I wish I had better news, but I thought I would at least give you a heads up for now.
Please spread the word to others in your office.
Update! Apparently there is some good news finally. The criminals have been tracked down, and two companies have developed a way for you to unlock your files (if you still have them). Check out the news at Engadget.com
One reply on “CryptoLocker Alert”
Steve, This may be a silly thought, but is there anyway to view an infected file to identify a common thread, or line of code, that we can identify. My thought was to then include that identifier in our antivirus programs that probe email before allowing them in? Obviously, the writer of this virus is not as illiterate as they try to appear in their warning. II guess it originated here in the US, or in China.