Cryptolocker: What to
do to protect yourself and what to do if you get it.
What is Cryptolocker? Cryptolocker is a Trojan horse virus
that surfaced late September 2013, a form of ransom ware that targets computers
running Microsoft Windows software. Cryptolocker disguises itself as a legitimate
attachment. When activated, it encrypts a variety of files with a mixture of
RSA and AES encryption. When finished it prompts the user to pay a fee for the key to unlock the files being held ransom.
There is a screen that displays a timer with a countdown, the purpose of the timer is to create a sense of urgency to “pay” the fee to get the files back. In November of 2013, the creators of the virus put up a website for users that have had the timer run out, and on the web page it has an option for those users to pay a ransom even if the timer has run out.
The ransom must be paid with Moneypak vouchers or Bitcoins. Once you send the payment, and its verified, the program will then decrypt the files that are encrypted.
There is a screen that displays a timer with a countdown, the purpose of the timer is to create a sense of urgency to “pay” the fee to get the files back. In November of 2013, the creators of the virus put up a website for users that have had the timer run out, and on the web page it has an option for those users to pay a ransom even if the timer has run out.
The ransom must be paid with Moneypak vouchers or Bitcoins. Once you send the payment, and its verified, the program will then decrypt the files that are encrypted.
What should you do if you are infected with Crytolocker? The
first thing that you should do is disconnect the machine infected from the wireless
or wired network. That way the virus won’t have a chance to infect other
networked devices. Ideally, you should have your files backed up and accessible on a non networked device or drive.
Is it possible to decrypt the files by Cryptolocker? Unfortunately,
at the time of this writing there is no known way to decrypt the files private
key easily and quickly. The only method of restoring the files is from a backup
copy or imaged copy of the files.
How do I find out if I have been infected with Cryptolocker?
Make sure you have an Anti-virus suite or program installed and its
definitions are up to date. Run a full scan. There are various tools available on the web that can help if you do not have an anti-virus installed, a quick Google search will point you in the right direction. There are also methods of manually removing the virus from the registry, which is not recommended for the non-computer savvy user.
How do I become infected
with the Cryptolocker virus? The infection is typically sent out to
company emails, and disguised as a customer support related issues from another
company, for example FED EX, USPS, UPS, DHS, etc. The file might be named
1056_FORM.exe or 1056_FORM.pdf.exe. Since Microsoft does not show file extensions by
default, the files look like normal .PDF files.
I have provided links below to pages that discusses in
depth the Cryptolocker virus and methods of mitigation, and methods of removal:
http://www.networkworld.com/news/2013/111413-cryptolocker-practices-275987.html?hpg1=bn
http://www.networkworld.com/news/2013/111413-cryptolocker-practices-275987.html?hpg1=bn
