CryptoLocker ransomware virus encrypts your data and holds it hostage – here’s how to avoid it

by Gramfan on November 9, 2013

in Gramfan (team member), malware, tech tips

CryptoLocker ransomware screen shot

Once the CryptoLocker virus infects your computer, it encrypts all your files and demands that you pay the perpetrators for the key to decrypt them. It encrypts not only the files on your computer, but also every machine on your local network, including all attached devices such as flash drives and external hard drives.

If you don’t pay the perpetrators before the deadline, they will destroy the key for your files, rendering them permanently inaccessible. Removing the virus from your computer and local network does not decrypt your files!

Files in cloud storage will also be encrypted if you have mapped the cloud storage to a drive letter on your computer.

Herald Sun (AU) has the story:

ONLINE hackers have a new reason to break into your computer – your cold, hard-earned cash.

A nasty new virus called CryptoLocker is infecting computers around the world – encrypting important files and demanding a ransom from their helpless owners to unlock them.

The ransom note pops up flashing on the computer screen, and the victim is given 72 hours to cough up the casg, or the files will be permanently deleted. A countdown clock indicates how much time you have left to pay the fee.

The amount demanded is usually $300, or two Bitcoins (approximately $US260 each).

“It systematically hunts down every one of your personal files – documents, databases, spreadsheets, photos, videos and music collections – and encrypts them with military-grade encryption and only the crooks can open it,” a senior security adviser at worldwide digital security company Sophos, Chester Wisniewski, told NBC’s Today program.

Once infected, your computer keeps working normally, but you can’t access any of your personal files. It’s terrifying if you haven’t backed up your data.

“Cybercrime is evolving, as the bad guys get smarter and use newer technologies,” said Michael Kaiser, executive director of the National Cyber Security Alliance. “They’re always looking for new ways to steal your money.”

“The author of this [malware] is a genius. Evil genius, but genius none the less,” an IT professional commented in an online tech forum. Another wrote, “This thing is nasty and has the potential to do enormous amounts of damage worldwide.”

Online forums like are filled with horror stories of people and businesses losing important data and precious memories.

“The virus cleverly targeted…all of our family photos, including all photos of my children growing up over the last eight years,” wrote one victim. “I have a distraught wife who blames me!”

A business had 180,000 files encrypted after the virus infected one worker’s computer. The company had to shut down for two days, and eventually ended up paying the ransom fee.

So how do you protect yourself and your computer? Aside from caving and paying the ransom, defence and prevention is the only safe method.

“Backup, back, up, back up,” said former White House Cyber Security Advisor Howard Schmidt. “That’s the only way to reduce the risk of losing your files forever.”

Krebs on Security: How To Avoid CryptoLocker Ransomware

Over the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from “CryptoLocker,”  the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim.

According to reports from security firms, CryptoLocker is most often spread through booby-trapped email attachments, but the malware also can be deployed by hacked and malicious Web sites by exploiting outdated browser plugins.

The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption unless and until you pay the ransom demand, which can range from $100 to $300 (and payable only in Bitcoins).

File-encrypting malware is hardly new. This sort of diabolical threat has been around in various incarnations for years, but it seems to have intensified in recent months. For years, security experts have emphasized the importance of backing up one’s files as a hedge against disaster in the wake of a malware infestation. Unfortunately, if your backup drives are connected physically or via the local network to the PC that gets infected with CryptoLocker, your backups may also be encrypted as well.

Computers infected with CryptoLocker may initially show no outward signs of infection; this is because it often takes many hours for the malware to encrypt all of the files on the victim’s PC and attached or networked drives. When that process is complete, however, the malware will display a pop-up message similar to the one pictured above, complete with a countdown timer that gives victims a short window of time in which to decide whether to pay the ransom or lose access to the files forever.

Fortunately, there are a couple of simple and free tools that system administrators and regular home users can use to minimize the threat from CryptoLocker malware. A team of coders and administrators from enterprise consulting firm have released the CryptoLocker Prevention Kit – a comprehensive set of group policies that can be used to block CryptoLocker infections across a  domain. The set of instructions that accompanies this free toolkit is comprehensive and well documented, and the group policies appear to be quite effective.

Individual Windows users should check out CryptoPrevent, a tiny utility from John Nicholas Shaw, CEO and developer of Foolish IT, a computer consultancy based in Outer Banks, N.C.  Shaw said he created the tool to mimic the actions of the CryptoLocker Prevention Kit, but for home users. So far, he said, the CryptoPrevent installer and its portable version have seen tens of thousands of downloads.

CryptoPrevent user interface
CryptoPrevent user interface

He notes that some antivirus tools have occasionally detected his kit as malicious or suspicious, and that McAfee SiteAdvisor currently lists his domain as potentially dangerous without explaining why (I know how he feels: was at one time flagged as potentially dangerous by this service). In addition, some folks have been thrown by the apparent expletive in his company’s domain name —

“When I started Foolish IT [back in 2008], I went for the domain but it wasn’t available and this was one of the suggestions that GoDaddy gave me,” Shaw said. “I thought it was funny and decided to go with it.”

CryptoLocker might be the best advertisement yet for cloud data storage systems. Johnny Kessel, a computer repair consultant with San Diego-based KitRx, has been urging clients to move more of their data to cloud services offered by Google and others. Kessel said one of his clients got hit with CryptoLocker a few weeks ago — losing access to not only the files on the local machine but also the network file server.

“This thing hit like pretty much all the file extensions that are usable, from Mp3s to [Microsoft] Word docs,” Kessel said. “About the only thing it didn’t touch were system files and .exe’s, encrypting most everything else with 2048-bit RSA keys that would take like a quadrillion years to decrypt. Once the infection happens, it can even [spread] from someone on a home PC [using a VPN] to access their work network, and for me that’s the most scary part.”

For further reading on CryptoLocker, please see:

BleepingComputer discussion thread.

Malwarebytes: Cryptolocker Ransomware: What you need to know.

Naked Security (Sophos): Destructive malware Cryptolocker on the loose.

Reddit thread: Proper care and feeding of your Cryptolocker Cryptolocker is the nastiest malware ever and here’s what you can do

Ars Technica: You’re infected — if you want to see your data again, pay us $300 in Bitcoins

{ 1 comment… read it below or add one }

1 Luxembourg Defense Blog December 11, 2016 at 1:23 pm

Thank you for this very good article, it is complicated to prevent this kind of piracy as human behavior is the weakness.
Luxembourg Defense Blog

Leave a Comment

{ 1 trackback }

Previous post:

Next post: