Ransomware is malware that prevents or limits access to your computer or its files until you pay a ransom to the attacker. CryptoLocker has proven to be an effective version of ransomware.
You can get infected by CryptoLocker via different vectors:
- Open an email attachment that contains CryptoLocker. Some of these emails have masqueraded themselves as shipping notifications, such as from UPS or Fedex, or as bank statements. However, the malicious attachment could arrive in an email of various forms.
- Drive-by download from an infected website. Attackers will compromise a legitimate website, or setup temporary websites of their own, and add attack code to the site. When you visit the website, it will search for vulnerabilities in your browser or plugins, such as Java, Adobe Flash, etc. The attack code will then exploit those vulnerabilities to infect your computer.
- Your computer may have already been compromised by a backdoor Trojan, which places your computer under the control of an attacker.
No matter how the attack occurs, CryptoLocker will attempt to install itself, make contact with the attacker’s servers, create encryption keys specific to your computer and proceed to use those keys to encrypt all files it can scan that contain certain file extensions. It will scan your local hard drive, any connected device (such as USB drives) and any mapped network share (such as your L: drive on campus). The file types it goes after include Word documents, Excel spreadsheets, Powerpoints, Access databases, picture files, and many others. Once your files have been encrypted, you will receive a popup alert:
At this point, your files have been encrypted and you will not be able to open them. The attacker gives you a short window of time to pay a ransom, or else the private encryption key that is needed to decrypt your files will be destroyed. When the encryption keys are destroyed there is effectively no way to decrypt and regain access to your files.
If your computer has been infected and your files encrypted, your options are limited. You can pay the ransom, but the general recommendation is not to as it supports criminal activity and there is no guarantee that your files will be decrypted. However, there are reports of people paying the ransom and regaining access to their files. The only other option is to clean the infection from the computer using widely available tools, the Sophos Virus Removal Tool being one example. Once the infection has been removed, you would need to restore your files from backups. Consideration should be given to doing a complete rebuild of the computer … fresh install of the operating system and all applications, because once a computer has been infected, you cannot guarantee that you have removed all backdoors left by the attack.
What can you do to lessen your risks?
- Do not open email attachments you are not expecting to receive, even if it is purportedly from someone you know.
- Keep your web browsers updated. All major browsers have automatic update capabilities.
- Limit the use of browser toolbars and add-ons, they increase your risk exposure. Disable or uninstall those you do not use. Keep the remaining ones current with updates.
- Keep your operating system current with updates.
- Use an effective anti-virus solution and keep it updated. Campus-owned computers have Sophos installed.
- Disconnect from network shares you are not using. Consideration should be given to disconnecting from network shares and only reconnecting when needed.
- BACKUP your important files regularly. You can backup to a USB drive, but disconnect it once you have finished the backup and keep it in a safe, secure location. If your USB drive is connected, and you are infected with CryptoLocker, it will scan the USB drive and encrypt your backup files with the attacker’s encryption keys.
Please refer to the following websites for more information regarding CryptoLocker:
CryptoPrevent, a utility designed to prevent infection by CryptoLocker: http://www.foolishit.com/vb6-projects/cryptoprevent/