Information about CryptoLocker

cryptolocker-screen

CryptoLocker is a Ransomware virus. The virus encrypts all data on your computer and then demands payment to release it. This type of a virus is one of the most dangerous viruses on the internet today. This virus is dangerous because 1) so far it has been bypassing antivirus programs, 2) there is no decryption without sending $$ to hackers 3) This virus specifically targets businesses and encrypts all data on network drives.

To make this worse, we have seen a variation of the virus that does not ask for ransom. It just encrypts all network files, and then deletes itself. How this virus behaves is the reason antivirus companies are having a hard time protecting against it.

To help fight the virus we have created this best practice guide. The guide will answer common questions about the virus and will provide resources you need to keep your computer and your network safe.

WHO IS IN DANGER OF BECOMING INFECTED

Any version of windows can be infected with CryptoLocker virus. If you are running mac or linux you can not get infected. However, if you are running parallel or bootcamp on your Mac and a virtual version of windows you can get infected. Also an infected windows computer can encrypt files on a none windows computer if they are mapped as shared drives.

HOW DO YOU BECOME INFECTED

This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from FedEx, UPS, DHL, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_xxxxxxx.exe or FORM_xxxxxxx.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.

HOW TO PROTECT YOURSELF

The best way to protect yourself and your company against any virus, is to follow these short best practices.

1)      Updated antivirus – Make sure your antivirus program is up to date. It’s not enough to have antivirus running on your computer. You want to have the latest version of the software, and the latest virus definitions. Each antivirus manufacturer has its own “Best Practice” recommendation. Make sure behavior monitoring is turned on and best practice is followed.

2)      Backup of your computer and your network – It is critical to make sure your computers and servers are backed up. Sometimes backups fail, so testing a backup is critical to making sure you can retrieve your data. If you have a local backup, we highly recommend you also have an offsite or online backup. Having a copy of your data in a different location then your office will make sure that it will not be affected by a virus or other destructive events. Sometimes a good backup is your best safeguard.

To help you choose the right backup solution we have compiled a business backup guide. Click the ling for more information.

3)      Firewall – A good firewall can prevent bad guys from infecting your system. It can stop a user from going to an infected website and significantly reduce a chance of infection. A good firewall can save a company thousands of dollars by preventing a treat on the network.

3)      Updates and Patches – Making sure your computer is updated is a good practice that can prevent a virus from infecting a computer. However, this does not apply to this virus as the virus spreads by user action or other viruses if your computer is already infected.

4)      Be cautious when opening attachments – Virus creators need you to click on a file to infect your computer. When you click the file, this gives the virus a green light to inflict damage. Be alert, do not open any attachment unless you know who is sending it to you. Specifically, if you have doubts about an email, call the person who sent it, and ask if this is legitimate.

SOFTWARE TO PREVENT INFECTION

In addition to the items mentioned above we have also noticed some 3rd party tools that claim they can prevent Ransomware or CryptoLocker from infecting your computer. Specifically we found a tool called CryptoPrevent. This tool changes how your computer works by restricting specific type of activity on the computer. This tool can prevent CryptoLocker, but in a business environment it is also possible that this tool will cause other applications not to work correctly. Without further testing, using this tool can lead to other problems.

Link to CryptoPrevent:
http://www.foolishit.com/download/cryptoprevent/

We strongly belief the best route to protection, is to make sure your network is fully updated.

I’M INFECTED, WHAT CAN I DO?

If you found out that you are infected the first step is to disconnect the computer from the network so that the virus does not perform additional damage. The next step is to check to see if you have a backup that was not damaged by the virus. This should be done on a computer that is not infected. If you have a working backup, then you need to perform the virus cleanup using updated version of your antivirus software.

WARNING: removing the virus without a valid backup or paying the ransom will most likely make your files permanently inaccessible.

I DO NOT HAVE A BACKUP, CAN I PAY TO GET MY FILES BACK?

Some victims reported that paying the ransom within the given time period did get the files restored. However, this is by no means a guarantee. The money transfer is anonymous and some victims reported issues with the file restore. Since the creators of a virus are unknown, there is no tech support or anyone to ask for help should the file decryption fail.

Also, before paying consider what your money will be used for. Perhaps creating more viruses or sponsoring other terrorist activities? The final decision is left to the person or company infected with the virus.

I HAVE DROPBOX, GOOGLE DRIVE, SKYDRIVE, AM I PROTECTED?

Dropbox, Google Drive, SkyDrive, and many other cloud file sharing services sync your files across multiple computers. If your files are encrypted by the virus, all of your files will be modified and they will be replicated across all of your synced computers. The good news, you will be able to revert the files back to prior version. The bad news, you will be forced to do this one file at a time. The more files you have, the more time consuming this will be.

WHERE CAN I LEARN MORE ABOUT THE VIRUS

Below is a collected articles from different antivirus companies, along with instructions from each company on how you can protect your computer and your network.

Kaspersky –
http://blog.kaspersky.com/cryptolocker-is-bad-news/

Malware bytes –
http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

Sophos –
http://nakedsecurity.sophos.com/2013/10/18/CryptoLocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/

TrendMicro –
http://esupport.trendmicro.com/solution/en-US/1099423.aspx

Symantec –
http://www.symantec.com/connect/blogs/cryptolocker

Bleeping Computer information about CryptoLocker
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#disconnect

DO YOU NEED ADDITIONAL HELP?

ECS Team is working with our clients to help protect them against this and other viruses. If you need help or have questions about this or other IT issues, please contact us.

Thank you,
ECS Team.