CryptoLocker ransomware becoming relevant

There is a new strain of malware called CryptoLocker that is making its rounds. Unlike your typical malware which causes havoc with systems, this one is part of the ransomware family.

Ransomware is just like what it sounds – it takes your computer hostage and the malware makers want money from you.

While some ransomware has been easy to correct – just reboot your computer – this strain is nasty.

Typically the file which does the work comes in the form of an Email [although you could get hit by going to a web site you shouldn’t be on]. So that the email passes anti-virus scanners, it is typically stored inside a ZIP compressed archive file.

Reports have it that they are coming from fake shipment or invoice notices from courier companies like FedEx or UPS.

Note: Some clues here – if you aren’t expecting anything or received anything, why would you get an Email from them? As well, if you look at the Email [but not the contents], why so little information about you?

The ransomware writers are still using the old double extension issue that still exist today in Windows. By default if you don’t do anything when you view a file, you will only see the file name [example: “My_Invoice”] instead of the full name “My_Invoice.pdf”. So the malware writers are sending the file “My_Invoice.pdf” but in reality it is “My_Invoice.pdf.exe” [programs would also fall under the above]. So you think it’s an Adobe PDF file when in fact it is a program.

Note: Another clue. If you are using Windows Vista or later, you would get a warning that what you just opened is trying to modify your computer. Adobe PDFs don’t modify your computer.

Once the program starts up, you may not initially see anything difference until after hours, if your computer stays on all day and night. Then the program comes alive and encrypts every kind of data files. This includes Adobe PDF files, Microsoft Word files, Microsoft Excel files, Microsoft PowerPoint files, Microsoft Outlook PST files, JPG images, BMP images, etc. In fact, there are a few dozen file types it encrypts.

Once encrypted, it should also place a text file or two in each folder saying what it did as well as when you boot up the computer.

You may see the following image [or similar to it]. If you do, then your system is infected with the ransomware.
crypt

Rebooting the computer doesn’t help. In fact, if any files that were open when it was encrypting were in use [and couldn’t be encrypted], they will be encrypted after rebooting the computer.

You will notice that when it encrypts the file, the file name itself hasn’t changed. But if you try to open a file, Windows will respond that the file is corrupt or something similar.

There is no way to unencrypt the files [and there are just too many to do anyways].

The ransomware writers will ask for anywhere between $100 and $1000 to be paid. You also need to pay by the date and time mentioned or the “key” to decrypt will be destroyed forever. They generally give you 72 hours from the time the files were encrypted.

If you pay the ransom, it doesn’t mean they will actually give you the key to decrypt. It is a gamble.

An up to date anti-virus software will at least detect the malware. Anti-malware software can clean the software, but even if the software cleans the malware, it can’t decrypt the files. In fact, if you remove the malware, you probably can’t decrypt the ransomware.

The only sure things to do is to back-up regularly [if you have critical files], be careful when you get attachments from those [even friends] that are unexpected or seem a bit odd for the sender, and keep up to date on operating systems updates.

I personally know of one case where someone got hit with ransomware.

If you do get hit with this malware, other than paying, you may want to have the disk wiped and Windows and your applications installed from scratch. Even if you paid, you do not want to take chances that remnants are on your system.

Advertisements

About ebraiter
computer guy

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: