The Blog of HindSight IT & Telecoms Ltd otherwise known as "Confessions of an IT Engineer" or "The Secret Diary of an IT Engineer aged 39 and 3 quarters"
CryptoLocker Virus Prevention
Virus Alert! - Prevent infection from CryptoLocker Viruses
Britain’s National Crime Agency (NCA) has issued an “urgent alert” to computer users about the threat posed by the CryptoLocker malware.
The NCA has warned that CrytoLocker has been targeting small-to-medium sized businesses and spamming "tens of millions" UK users.
The agency didn't say how many British businesses have been affected to date, but the UK's fraud reporting outfit, Action Fraud, said it had received 7,000 reports of ransomware between April and September this year.
The NCA’s National Cyber Crime Unit has warned that online criminals have launched a major internet attack designed to hold victims’ computer data hostage, and demand a ransom of hundreds of pounds be paid.
The cybercops’ alert warns that the CyberLocker ransomware – which encrypts computer files and demands a ransom be paid for the decryption key – has been distributed via spammed-out emails claiming to come from banks and financial institutions.
CryptoLocker is Trojan horse malware which surfaced in late 2013, a form of ransomware targeting computers running Microsoft Windows. CryptoLocker disguises itself as a legitimate attachment; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displays a message which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid voucher) is made by a stated deadline, and says that the private key will be deleted and unavailable for recovery if the deadline passes. If the deadline is not met, the malware offers to decrypt data via an online service provided by the malware's operators, for a significantly higher price in Bitcoin.
Although CryptoLocker itself is readily removed, files remain encrypted in a way which researchers have considered infeasible to break. Many say that the ransom should not be paid, but do not offer any way to recover files; others say that paying the ransom is the only way to recover files that had not been backed up.
What types of computers does CryptoLocker target?
CryptoLocker targets computers running versions of Windows. Mac computers are not affected.
How is CryptoLocker spread?
CryptoLocker isn’t a virus or a worm, it’s a Trojan horse. That means – like most malware seen today – it can’t travel under its own steam, and doesn’t self-replicate.
Instead, CryptoLocker is typically distributed via spammed-out email messages, perhaps claiming to come from your bank or a delivery company. If you click on the attached file (which might pretend at first glance to be a PDF file, but actually use the .PDF.EXE double extension trick to hide its executable nature), your computer becomes infected.
Of course, it’s possible the criminals behind CryptoLocker could also distribute it in other ways. For instance, by compromising websites with malicious exploit kits that take advantage of software vulnerabilities to install CryptoLocker on visiting computers.
What files does CryptoLocker encrypt?
Once your computer is infected, CryptoLocker hunts for files to encrypt. It doesn’t just on your hard drive, but on any connected drives, including mapped network shares, and even folders that you might sync up with the Cloud – such as DropBox.
Filenames which match the following patterns are encrypted by CryptoLocker:
????????.jpe, ????????.jpg, *.3fr, *.accdb, *.ai, *.arw, *.bay, *.cdr, *.cer, *.cr2, *.crt, *.crw, *.dbf, *.dcr, *.der, *.dng, *.doc, *.docm, *.docx, *.dwg, *.dxf, *.dxg, *.eps, *.erf, *.indd, *.kdc, *.mdb, *.mdf, *.mef, *.mrw, *.nef, *.nrw, *.odb, *.odc, *.odm, *.odp, *.ods, *.odt, *.orf, *.p7b, *.p7c, *.p12, *.pdd, *.pef, *.pem, *.pfx, *.ppt, *.pptm, *.pptx, *.psd, *.pst, *.ptx, *.r3d, *.raf, *.raw, *.rtf, *.rw2, *.rwl, *.sr2, *.srf, *.srw, *.wb2, *.wpd, *.wps, *.x3f, *.xlk, *.xls, *.xlsb, *.xlsm, *.xlsx, img_*.jpg
So, you may well be saying goodbye to your documents, your databases, your photographs, your PowerPoint slides, your spreadsheets, and much else besides.
Individual Windows users should check out CryptoPrevent, a tiny utility from John Nicholas Shaw, CEO and developer of Foolish IT, a computer consultancy based in Outer Banks, N.C. Small business administrators can avail themselves of a free tool from enterprise consulting firm thirdtier.net, which recently released its CryptoLocker Prevention Kit. This comprehensive set of group policies can be used to block CryptoLocker infections across a domain.
Also, consider online backup - HindSight-IT provides an unlimited online backup service, for just £60 per year (per PC) - contact us for further information.