Malware Alert: Cryptolocker

[Ty Burna]

I'm writing this post to warn everyone to be careful in regards to a new strain of malware/ransomware that has popped up in the past couple months.

This is an ugly infection, and it's spreading rapidly. Essentially what this infection does once it gets onto your computer is encrypt your data, making it unavailable. The virus then pops up a message saying you have so many hours to pay up to decrypt your data or the key to unlocking the encryption will be destroyed as seen here:

This is no joke, this isn't your typical malware that merely tries to scare you into paying up to remove the virus. It legitimately will lock you out of your data until you pay up. There has been no way to reverse the encryption at this point and time. Most antivirus companies have now implemented definition updates to prevent the Cryptolocker malware from infecting your machine, but remember that no AV Software is 100% effective.

If you are the victim of this malware, you have essentially only a couple options. Pony up the $300 they are requesting and have your data decrypted, or if you do not have any pertinent data or have it backed up, you may run your standard malware scans to remove the virus, however I do warn that once you do there is no way to pay for the decryption process other than going onto a website the creators of the virus have set up and pay for it there. Unfortunately going that route also includes a massive spike in cost as they now request $2,100 to decrypt your data. It has been confirmed through what I have read from other users in the Reddit thread regarding Cryptolocker that paying for the decryption does work, and the virus removes itself afterwards as well.

There has been reports that restoring from shadow copies can bring the data back without paying for it, however it is not a guarantee. One thing I will recommend and cannot stress enough, always back up any important data, whether to the cloud via Google Drive or Dropbox, or to an external hard drive. With the advent of this new type of infections, there is no doubt that variants and new strains will pop up. This malware will infect any attached drives, meaning if you leave your USB External Hard Drive connected to your PC at all times, this will encrypt the contents of that drive as well, rendering your backups useless. This is also true if you have the Dropbox desktop application as Windows treats it as just another folder. Networked drives I believe can be harmed as well.

Again, AV companies are getting preventative measures in place against the malware, but again, take all necessary precautions. Be diligent with email attachments, make sure it is from a person you know. If you are unsure, merely delete the email and contact the person that sent it. Avoid any websites out of the ordinary, and make sure your anti virus program is up to date. If you do not have one, Malwarebytes does have a pro version that will prevent infections such as Cryptolocker from harming your PC.

Any questions or comments I'd be glad to help as much as I can.

 

[#tamale]

That's why I have two external hard drives to store all my information and I always make sure to clear all the history of my internet browser every day. It's happened to me once about 3 years ago and I lost nearly everything. Since then I have learned to be cautious.

Is this virus only sent through e-mails or does it have other ways of infecting your computer?

Can it hack your social media accounts?

 

[Ty Burna]

That's why I have two external hard drives to store all my information and I always make sure to clear all the history of my internet browser every day. It's happened to me once about 3 years ago and I lost nearly everything. Since then I have learned to be cautious.

To be safe against this virus, I would advise keeping them disconnected unless you're using them or backing up to them.

Is this virus only sent through e-mails or does it have other ways of infecting your computer?

Main indications are that it is mostly through email at this point and time, but always be wary of any sites you are not familiar with. There's no guarantee that they'll further increase the amount of ways the malware gets on your PC. With variants and new strains, it can easily jump from email to simply going to the wrong site or downloading the wrong file.

Can it hack your social media accounts?

No. It's not interested in your social media accounts. Only the data that resides on your PC and any folders your PC is connected to.

 

[klunderbunker]

How would I go about making a backup? Is there a program that you would recommend that does it easily? I already have most of my documents saved twice on two different flash drives.

Also would saving my backups on a Hotmail Skydrive be advisable?

 

[Ty Burna]

How would I go about making a backup?

It can be as easy as copying files and folders to an external hard drive or flash drive. Or also see below:

Is there a program that you would recommend that does it easily?

There are a number of free ones, one that I have used in the past is Backup Maker: https://www.ascomp.de/en/products/show/product/backupmaker

It's free, and also has scheduling capabilities so you can set it and forget it if you have an external drive always hooked up.

I already have most of my documents saved twice on two different flash drives.

Double backups are always preferred, that is very smart.

Also would saving my backups on a Hotmail Skydrive be advisable?

Yes. Skydrive, Google Drive, Dropbox, Box, the number of free cloud storage solutions are numerous. Using them as another backup source could prove valuable, and also a great way to access your files on the go from either a different PC or even your smartphone. If the data is that important, I would recommend uploading it to the cloud. Personally I use my Google Drive account to backup pictures of my daughter. I have them saved locally at my home server, but the Google Drive is there to ensure I have them in case something happens to my server.

The best method is to have a backup offsite or away from home. If your house burnt down today, and both your PC and flash drives were in the house, the backups didn't help you there. You have to take into consideration physical damage as well as software related attacks with backing up. Cloud based storage gives you that opportunity and it's not something the normal user ever really had at their disposal until the past few years when cloud storage became readily available.

 

[klunderbunker]

Yes. Skydrive, Google Drive, Dropbox, Box, the number of free cloud storage solutions are numerous. Using them as another backup source could prove valuable, and also a great way to access your files on the go from either a different PC or even your smartphone. If the data is that important, I would recommend uploading it to the cloud. Personally I use my Google Drive account to backup pictures of my daughter. I have them saved locally at my home server, but the Google Drive is there to ensure I have them in case something happens to my server.

The best method is to have a backup offsite or away from home. If your house burnt down today, and both your PC and flash drives were in the house, the backups didn't help you there. You have to take into consideration physical damage as well as software related attacks with backing up. Cloud based storage gives you that opportunity and it's not something the normal user ever really had at their disposal until the past few years when cloud storage became readily available.

Would you recommend the Backupmaker site or the Skydrive? Also on Backupmaker, does it keep the backup on their servers or does it give me the backup to save somewhere else?

 

[Ty Burna]

Would you recommend the Backupmaker site or the Skydrive? Also on Backupmaker, does it keep the backup on their servers or does it give me the backup to save somewhere else?

Skydrive if you simply want to keep files, Backup Maker would allow you to create whole images of your PC if you wish.

The program would make a backup to save somewhere else such as a flash drive or external hard drive. It does not save it to the server. You could however save the backup to a Google Drive or Dropbox if you prefer.

A paid service such as Carbonite does back up your data to their own servers.

 

[klunderbunker]

I think I'd be ok with just Skydrive then. I'd be able to make the backup then save it on Skydrive though, and that would be good enough security?

 

[Ty Burna]

I think I'd be ok with just Skydrive then. I'd be able to make the backup then save it on Skydrive though, and that would be good enough security?

You can never have enough security in theory, but yes that would be sufficient. Just ensure you have enough space on your Skydrive for the backups.

 

[Slyfox696]

I'm writing this post to warn everyone to be careful in regards to a new strain of malware/ransomware that has popped up in the past couple months.

This is an ugly infection, and it's spreading rapidly. Essentially what this infection does once it gets onto your computer is encrypt your data, making it unavailable. The virus then pops up a message saying you have so many hours to pay up to decrypt your data or the key to unlocking the encryption will be destroyed as seen here:

This is no joke, this isn't your typical malware that merely tries to scare you into paying up to remove the virus. It legitimately will lock you out of your data until you pay up. There has been no way to reverse the encryption at this point and time. Most antivirus companies have now implemented definition updates to prevent the Cryptolocker malware from infecting your machine, but remember that no AV Software is 100% effective.

If you are the victim of this malware, you have essentially only a couple options. Pony up the $300 they are requesting and have your data decrypted, or if you do not have any pertinent data or have it backed up, you may run your standard malware scans to remove the virus, however I do warn that once you do there is no way to pay for the decryption process other than going onto a website the creators of the virus have set up and pay for it there. Unfortunately going that route also includes a massive spike in cost as they now request $2,100 to decrypt your data. It has been confirmed through what I have read from other users in the Reddit thread regarding Cryptolocker that paying for the decryption does work, and the virus removes itself afterwards as well.

There has been reports that restoring from shadow copies can bring the data back without paying for it, however it is not a guarantee. One thing I will recommend and cannot stress enough, always back up any important data, whether to the cloud via Google Drive or Dropbox, or to an external hard drive. With the advent of this new type of infections, there is no doubt that variants and new strains will pop up. This malware will infect any attached drives, meaning if you leave your USB External Hard Drive connected to your PC at all times, this will encrypt the contents of that drive as well, rendering your backups useless. This is also true if you have the Dropbox desktop application as Windows treats it as just another folder. Networked drives I believe can be harmed as well.

Again, AV companies are getting preventative measures in place against the malware, but again, take all necessary precautions. Be diligent with email attachments, make sure it is from a person you know. If you are unsure, merely delete the email and contact the person that sent it. Avoid any websites out of the ordinary, and make sure your anti virus program is up to date. If you do not have one, Malwarebytes does have a pro version that will prevent infections such as Cryptolocker from harming your PC.

Any questions or comments I'd be glad to help as much as I can.

Yeah, that thing sucks. My mother's husband got it and I was able to get all of his files off the computer and backed up. I was also able to remove the infection, except he claims 3-5 documents have been corrupted/encrypted. I haven't looked at it since, but I'd be surprised if it was Cryptolocker which got them.

I think Malwarebytes in Safe Mode can take care of it. There are steps out there on how to remove it, and I don't remember them being too difficult. The key is to make sure you get it removed before it takes effect, because once it takes hold, you're screwed.



EDIT: Oh, and it's NEVER a good idea to pay for ransom-ware. Never.

EDIT 2: Also, this is just another good reason to use Linux (whether in a virtual machine or as the machine's operating system) to open suspect attachment and files.

 

[Ty Burna]

Yeah, that thing sucks. My mother's husband got it and I was able to get all of his files off the computer and backed up. I was also able to remove the infection, except he claims 3-5 documents have been corrupted/encrypted. I haven't looked at it since, but I'd be surprised if it was Cryptolocker which got them.

I worked on one last night, thankfully it only got a few documents and there wasn't anything real important in there.

I think Malwarebytes in Safe Mode can take care of it. There are steps out there on how to remove it, and I don't remember them being too difficult. The key is to make sure you get it removed before it takes effect, because once it takes hold, you're screwed.

For you and I: Combofix took care of it as well, but I typically run it anyway.

For anyone else: do not run Combofix because it has a possibility of wrecking the OS and if you don't know how to fix it, you're SOL. Malwarebytes also will remove it quite easily for you.

Also another thing, if you get that message, disconnecting your computer from the internet will halt the encryption process from what I've read. If you're unsure of cleaning it yourself, shut down the PC and get it to a repair store immediately. Or as Sly said, get Malwarebytes loaded up as quick as you can and get it cleaned out. Time is of the essence for your files with this infection.

EDIT: Oh, and it's NEVER a good idea to pay for ransom-ware. Never.

I concur with this typically, but this is a whole different level of ransomware. These dudes are making an absolute killing with this, and it's rather genius in how they set it up. Again, backups eliminate the need for paying the ransom, but if you have no other choice, well it goes against everything I know, but you may need to pay up while the price is cheap. Letting the timer expire and going with the second chance option they have set up as a website involves a seven fold increase in price.

EDIT 2: Also, this is just another good reason to use Linux (whether in a virtual machine or as the machine's operating system) to open suspect attachment and files.

And also just simply disregard and delete suspicious attachments and files. If you even have one iota of a suspicion that the file or attachment is bad, don't attempt opening it. Delete and disregard, if it's from a trusted source, contact that person and ensure it was legitimate and have them resend the file.