This is a virus we’re watching closely, and working with our clients to help them avoid.
CryptoLocker is a malicious randomware that encrypts your entire computer and holds it ransom. Don’t underestimate this virus. It’s dangerous. It has spread internationally, and Canadians make up 6% of the victims.
CryptoLocker can spread from your computer to your mapped network drives and mounted external hardware, such as the office USB. Every document is encrypted using a military grade 2048 bit ROSA, and the encryption key is stored remotely. This makes decryption near impossible.
How does it spread?
There are three ways CryptoLocker accesses a computer:
1. Phishing emails are the most common way of catching CryptoLocker. The virus sends out fake customer services emails from, and not limited to, FedEx, UPS, DHL and Intuit. Someone reported CryptoLocker attached itself to a fake voicemail receipt, as well. The attachments are zip files with contents that look like PDFs. The files are labelled similarly to FORM_101513.exe or FORM_101513.pdf.exe.
2. Some websites have been hacked with a code that exploits security vulnerabilities on your computer in order to install CryptoLocker.
3. Trojans hide themselves in fake “required programs” to play videos.
How do I know I’m infected?
Look for ports on your network switch where the lights blink a lot. This shows heavy traffic and high bandwidth use. Ask your network administrator, they will be able identify a change in the user ownership name.
You’ll also receive this red pop-up.
What should I do if I’m infected?
First of all, if you’re using a local backup program, turn it off. A scheduled backup with the encryption may override your previous versions.
CryptoLocker demands $300 through Monkey Pak or Ukash, or 2 Bitcoins, which is an online open source currency. Currently, 1 Bitcoin is equivalent to $227.14 CAN. The red pop-up box will give you a 96-hour period to pay, but numerous online forums says many victims did not receive their key after paying the ransom.
If you choose to not pay, you can attempt to wipe your entire computer and use a backup image or Shadow Copies through System Restore. This process is not guaranteed to work though.
What happens if restore doesn’t work?
If CryptoLocker spread to your shared networks you will still be affected by the encryption. CryptoLocker has created its own decryption service that costs 10 Bitcoins.
How do I prevent getting attacked?
First, be diligent about your emails. If you are not 100% confident that an email attachment is safe do not open it and delete the email right away.
What signs should you look for?
- Unknown senders
- Zip files
- Improperly named attachments
- Non-personalized content
- Wrong information
Second, check for updates with your email filtering provider. Quartet has partnered with Barracuda Networks, who have been pushing out virus definitions for CryptoLocker.
Finally, back up your data regularly to a secure, remote location such as cloud storage, like Q-Box.
You are the first line of defense
CryptoLocker is not the first ransomware, but it is very aggressive. Spam filtering and antivirus programs should be the last line of defense. Therefore practice smart computing — educate your users, run regular updates and regulate the company user policy — to protect yourself.