How to (hopefully) cure Cryptolocker

Cryptolocker is probably one of the major flavors of ransomware out there. You may notice it if at least one of the below is true:

  • Any file [i.e. more than one and different types] you open says it may be corrupt.
  • Anywhere there is an encrypted file, one or more notices are in the same folder where the file is.
  • Your web browser(s) default to where the web site to pay the “fee”.
  • You get a notice like below.

ransom1

Ransomware is where a computer you unintentionally click on an application you downloaded or a link and the software loads some malware onto your computer. Unlike the typical malware, ransomware will encrypt most of the typical data files [any documents that are associated generally with Microsoft Office, Outlook .PST files, PDFs, etc.]. It will then notified you that it did so and force you to pay a fee [usually $200 or more, most of the time using Bitcoins]. You generally have a time limit such as 3 or 4 days. After that your data is “history”.

There are a number of ways to combat ransomware but they depend on the type of ransomware.

If you have nothing “special” on the computer, the least amount of headaches would be to reformat and install Windows. You would probably end up doing this anyway.

You can pay the fee but it doesn’t mean they won’t come back.

You can try one of many tools at your disposal. Those tools include [and will work in various degrees of success]:

There is also the DecrypCryptoLocker which will allow you to upload a file [take something non-sensitive] and the site will send you a decryption key and an application to run to unlock your computer.

Even after you clean your computer of any malware, you are better off backing up your data, wipe the hard disk and re-install Windows. The ransomware may have still made your computer vulnerable to future attacks.

Early versions of ransomware actually left behind where you could find the decryption key. Newer versions have since fixed that. As well, sometimes the application that triggers the encryption may only begin after hours. So you may not see the issue until the following day [or after a weekend] and by that time, you lost hours if you decide to pay or not.

In December 2013 , Dell SecureWorks estimated that CryptoLocker has managed to infect 250,000 victims.

 

CryptoLocker ransomware becoming relevant

There is a new strain of malware called CryptoLocker that is making its rounds. Unlike your typical malware which causes havoc with systems, this one is part of the ransomware family.

Ransomware is just like what it sounds – it takes your computer hostage and the malware makers want money from you.

While some ransomware has been easy to correct – just reboot your computer – this strain is nasty.

Typically the file which does the work comes in the form of an Email [although you could get hit by going to a web site you shouldn’t be on]. So that the email passes anti-virus scanners, it is typically stored inside a ZIP compressed archive file.

Reports have it that they are coming from fake shipment or invoice notices from courier companies like FedEx or UPS.

Note: Some clues here – if you aren’t expecting anything or received anything, why would you get an Email from them? As well, if you look at the Email [but not the contents], why so little information about you?

The ransomware writers are still using the old double extension issue that still exist today in Windows. By default if you don’t do anything when you view a file, you will only see the file name [example: “My_Invoice”] instead of the full name “My_Invoice.pdf”. So the malware writers are sending the file “My_Invoice.pdf” but in reality it is “My_Invoice.pdf.exe” [programs would also fall under the above]. So you think it’s an Adobe PDF file when in fact it is a program.

Note: Another clue. If you are using Windows Vista or later, you would get a warning that what you just opened is trying to modify your computer. Adobe PDFs don’t modify your computer.

Once the program starts up, you may not initially see anything difference until after hours, if your computer stays on all day and night. Then the program comes alive and encrypts every kind of data files. This includes Adobe PDF files, Microsoft Word files, Microsoft Excel files, Microsoft PowerPoint files, Microsoft Outlook PST files, JPG images, BMP images, etc. In fact, there are a few dozen file types it encrypts.

Once encrypted, it should also place a text file or two in each folder saying what it did as well as when you boot up the computer.

You may see the following image [or similar to it]. If you do, then your system is infected with the ransomware.
crypt

Rebooting the computer doesn’t help. In fact, if any files that were open when it was encrypting were in use [and couldn’t be encrypted], they will be encrypted after rebooting the computer.

You will notice that when it encrypts the file, the file name itself hasn’t changed. But if you try to open a file, Windows will respond that the file is corrupt or something similar.

There is no way to unencrypt the files [and there are just too many to do anyways].

The ransomware writers will ask for anywhere between $100 and $1000 to be paid. You also need to pay by the date and time mentioned or the “key” to decrypt will be destroyed forever. They generally give you 72 hours from the time the files were encrypted.

If you pay the ransom, it doesn’t mean they will actually give you the key to decrypt. It is a gamble.

An up to date anti-virus software will at least detect the malware. Anti-malware software can clean the software, but even if the software cleans the malware, it can’t decrypt the files. In fact, if you remove the malware, you probably can’t decrypt the ransomware.

The only sure things to do is to back-up regularly [if you have critical files], be careful when you get attachments from those [even friends] that are unexpected or seem a bit odd for the sender, and keep up to date on operating systems updates.

I personally know of one case where someone got hit with ransomware.

If you do get hit with this malware, other than paying, you may want to have the disk wiped and Windows and your applications installed from scratch. Even if you paid, you do not want to take chances that remnants are on your system.