CryptoLocker Ransomware Spreading
Just last month, antivirus companies discovered a new ransomware known as Cryptolocker. This ransomware is particularly nasty because infected users are in danger of losing their personal files forever. Spread through email attachments, this ransomware has been seen targeting companies through phishing attacks. Cryptolocker will encrypt users’ files using asymmetric encryption, which requires both a public and private key. The public key is used to encrypt and verify data, while private key is used for decryption, each the inverse of the other.
Below is an image from Microsoft depicting the process of asymmetric encryption.
It’s infecting more than 10,000 victims on a weekly basis. This was the conclusion of security vendor Bitdefender, which conducted research on Crytolocker between October 27 and November 1.
The bad news is decryption is impossible unless a user has the private key stored on the cybercriminals’ server. Currently, infected users are instructed to pay $300 USD to receive this private key. Infected users also have a time limit to send the payment. If this time elapses, the private key is destroyed, and your files may be lost forever.
Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:
3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx
A few things you can do to prevent your PC from getting infected with the CryptoLocker virus:
- Most viruses are introduced by opening infected attachments or clicking on links to malware usually contained in spam emails. Avoid opening emails and attachments from unknown sources, especially zip or rar archive files.
- Using antivirus software is strongly recommended. Ensure the antivirus real time protection is active and virus database is up-to-date. Also keep your operating system and software up-to-date.
- Keep a backup. If you have a real-time backup software then make sure that you first clean the computer and then restore the unencrypted version of the files.
- Create files in the Cloud and upload photos to online accounts like Flickr or Picasa.
- Windows 7 users should set up the System Restore points or, if you are using Windows 8, configure it to keep the file history.
- If Crypto locker already infected your machine, make sure you have reformatted your hard drive to completely remove the CryptoLocker trojan before you attempt to re-install Windows and/or restore your files from a backup.
It’s all well and good to prepare, but what if you already are infected? Despite the virus’s warning not to “disconnect from the Internet or turn off the computer,” this is exactly the first order of damage control.
You’ve got to realize these guys are criminals and they lie. The only thing turning off your computer does is keep the virus from continuing to infect.
In fact, unplugging your computer may save some of your files, if the virus is still in the process of infecting them.
Next, you need to figure out what damage has been done. Which files have you lost? Do you have backups of these files? If you don’t have backups, have you checked Windows’ System Restore files, which sometimes automatically back up the computer for you?
You should not pay these guys ransom. It’s just going to encourage malware authors to create similar viruses…. However reportedly paying ransom works. As a last resort it may help you out.