Bookmark and Share

Once this malware is allowed on a computing device it encrypts files in the victim’s computer, and demands a ransom of $300 to be paid by the victim within 72 hours in order decrypt the victim’s files.

In early September 2013, security experts around the world became aware of a very nasty piece of malware that, once executed, encrypts files in the victim’s computer, and then demands a cash ransom for decryption and we’ve little evidence that even this will fix things.

This one of the most destructive malware infections we have ever seen!  It is essential that anyone with a connection to the Internet is aware of this beast.

Files Become Unreadable

This type of malware is popularly known as ransomware and is spread using social engineering tricks especially via email such as fake FedEx, banking, credit card, or UPS tracking notifications with attachments. Once the victim opens such email attachments, CryptoLocker gets installed and starts scanning the hard disk for all kinds of documents. These include images, videos, documents, presentations, spreadsheets AND including any backup files that may also be maintained on the target system. Thereafter it encrypts these files converting them into an unreadable form. The ransomware then pops up a message demanding a payment of $300 (currently) to obtain the private key to decrypt the files. The message also displays a time limit within which the payment must be made.

CryptoLocker uses unique RSA encryption method of public private key pair to encrypt its victim’s data. It is not possible to decrypt the files encrypted in this way until one has access to the private decryption key. The key is not stored on the infected computer, but rather on the hacker system which, of course, nobody but the hacker has access to.

No Known Fix After Infection

If you’ve already been hit, IT’s TOO LATE. There no known fix – other than paying the ransom. Without the key it is not possible to decrypt the data encrypted by this malware. The malware defines a window of 72 hours to pay the ransom and to get the private key to decrypt your data. If the amount is not paid the hackers destroy the private key and your encrypted data is locked forever with no way to recover it. Hackers behind this malware are able to avoid the trace back by using digital cash systems like Bitcoins, UKash and MoneyPack, where the payments can be anonymous.

Here are two very simple steps you can take to minimize your risk:

  • Never entertain unknown or unwanted emails with attachments, especially those that come from FedEx, banking, credit card, or UPS tracking notifications. Use strong anti-phishing, anti-spam and content filtering to filter out the fraudulent emails and no-go web sites.
  • Ensure that your systems are backed on a regular basis. Preferably daily, with multiple versions and maintained at an off-site location.

Contact us on 01865 322100 or via the form on this page if you would like to discuss protection against this type of intrusion.

To see how CryptoLocker works and just how powerful an infection it is look at this video from Sophos. (All the major providers of malware protection will work, so we’re not particularly endorsing Sophos – they just have the best demonstration we’ve seen)

Credit to Bob Milliken of Cascadia Systems Group for inspiring this post.