Main Menu

Crypto Locker: The Business Killer

Recently, a new version of an old Ransomware virus appeared in people’s inbox’s this past week. Calling itself Crypto Locker, the infection begins with a stealthily laid spam email disguised as a file transfer notice.  A particular client of ours recently opened the email, and clicked the download attachment link because the client was actually expecting files to be sent via email to him. It’s an especially dangerous situation in a business atmosphere, where the majority of the work is being completed on computers.

The email noted a file being sent from Xerox file transfer, which most likely does not exist, or is not widely available to the public.  This is the first sign to never click a link in an email that is vague, or is delivered via an “outside” third party with no personal name attached to it.  If this occurs in your email, delete it immediately.

Unfortunately, email, inherently, is not designed to be secure. It is a simple way of communication, but can be easily intercepted and often taken advantage of by sophisticated spamming techniques.  For example, a recent malware attack disguised itself as a LinkedIn Invitation.  How tricky is that? A technique for the majority of email applications or online browser email service, is to “hover” over the link, which basically means move the cursor to the attachment or “button” or other link in the email, but DO NOT click.  Usually in a browser the associated link will appear near the bottom of the browser.  If the domain name has no relation, looks suspicious, or appears as an unintelligible tangle of letters and numbers, it usually means it is not legitimate.

A good rule of thumb for reputable online services, like LinkedIn, Facebook, governmental agencies, banks, or other institutions is that their email communication with you will NEVER ask you for personal information, and should always redirect you to a link with the actual domain name in it.

What is especially dangerous about Crypto Locker is its ability to hide itself on your computer, while also infecting any associated servers or file backup systems.  It intimidates users by warning them that their files have been encrypted, while presenting a countdown demanding money to “save” all of their files.

If this happens to you, and Crypto Locker appears on your desktop, the first piece of advice is to unplug your internet connection immediately—especially if your computer is a part of a network.  The next piece of advice is to not pay for the “key” because an uninstall and decryption of files is possible.

What’s even more important for the technologically challenged, is to keep your operating system up to date, and use a trusted and reputable anti-virus program for scanning your emails, such as Kaspersky.  Another important tool to enable is a backup system that automatically backs-up your files.  For Windows, a default setting in System Protection records previous versions of your files, so as to enable a user to return to a previous version, much like Time Machine for Mac users. Yet, the affected computer cannot have open access to these backups, because otherwise Crypto Locker will access the server and continue the destruction.

Of course, your IT professional will be able to handle all of this for you, and if not, you can always contact a professional virus removal team.

To keep up to date with the latest, you can follow the reddit page: http://www.reddit.com/r/sysadmin/comments/1mizfx/proper_care_feeding_of_your_cryptolocker/.

Or here: http://community.spiceworks.com/topic/381787-crypto-locker-making-the-rounds-beware

End Advice? Back up your data to an external server or hard-drive that lives off of your local network.

, , , , , , , , , ,

13 Responses to Crypto Locker: The Business Killer

  1. jf October 7, 2013 at 4:49 pm #

    You say that decryption is possible.

    And how ?

    • DC October 11, 2013 at 8:55 am #

      Has anyone figured a go around on this encryption?? If so please share this is a nasty mess to cleanup and try to save Docs for people…

      Thanks,

  2. Mike October 8, 2013 at 11:37 am #

    I got the malicious content removed but have been told there is no way to decrypt the files it has attacked. If there is is a method to do this could you please let us know.

    Thanks

  3. Jennnifer October 8, 2013 at 11:41 am #

    I got this virus. The e-mail it came from was a USPS.gov address. Extremely tricky of them because USPS is actually a .com even though it’s government run. Anyway, it said they were trying to deliver a package to us and since I have a USPS account that I use for my business, I assumed it was a package we had shipped to a customer that was being returned. The e-mail asked me to print the label and bring it to my local post office. BAM!! -VIRUS… and now I’m screwed. This thing is VERY dangerous! Do not open any attachments!!!

    • Aig October 10, 2013 at 7:32 am #

      One of my customers has this same problem. Is there a decryption too out there that can decrypt this nasty piece of work that has encrypted all their files?

  4. Daymon Capers October 8, 2013 at 11:49 am #

    Yes there are a couple of things, however small, remove it and then restore from a backup or you have to have a copy of the same file on a backup that has not been encrypted and then purchase decryption software so that it can “unlock” the encryption, but you have to do it manually…it’s a bit of a nightmare really. Those are the only known to date solutions for fixing the issue. If you’ve been infected, I’d strongly suggest looking into backup software that allows for versioning, that way you’ll always have a couple of copies.

  5. John Galt October 14, 2013 at 2:10 pm #

    Ahhh Decryption software, please do tell us all about the products you have used and recommend that actually can crack 256 x 2048 encryption using 2 different ciphers, darn am I bad, I was under the impression that without the private keys, it would take the NSA and every PC on the planet a century to crack just one

  6. Ark October 18, 2013 at 10:13 am #

    try latest AV removal tools from you AV provider to remove as much as you can, then definitely try versioning to restore your data if shadow copying/previous version is enabled on your system.
    it is all manual work am afraid. I have helped to recover data for two people over last two week. Good Luck!

  7. Someone October 21, 2013 at 6:53 am #

    Decrypting it yourself is impossible. The program uses a 2048bit RSA-key, which has never been broken yet.
    Paying is the ONLY way of retrieving your files. There are reports that the attacker actually does decrypt the files after you’ve paid.
    Do NOT remove the virus itself. It’s pretty easy to remove the virus, but the files stay encrypted. Once the virus is removed, decrypting will be impossible, even for the attacker.

    More info: http://www.kttc.com/link/658025/how-to-remove-crypto-locker

Trackbacks/Pingbacks

  1. Resurgence of Virus Problems on Campus | Office of Information Technology - October 9, 2013

    […] More information on this particular virus can be found here. […]

  2. Crypto Locker ransomware - October 9, 2013

    […] and to date there is not a way to decrypt the files. We discuss in detail here about the virus Crypto Locker Virus And Malware – A Serious Business Killer | Techslate   My System Specs You need to have JavaScript enabled so that you can use this … […]

  3. CRYPTOLOCKER WARNING: New Variant of Old Ransomware Virus Spreading | Zyrka | Managed Information Technology Services - Dallas, TX - New York, NY - October 10, 2013

    […] http://techslate.net/crypto-locker-the-business-killer/ […]

  4. Virus Infections, A Thing of the Past? | Techslate - November 12, 2013

    […] spam sending from the Blackhole software has led to a transition in sending dangerous malware like Cryptolocker using Upatre, which has increased dramatically since August, overwhelmingly targeting the USA. If […]

Leave a Reply

Human Verification: In order to verify that you are a human and not a spam bot, please enter the answer into the following box below based on the instructions contained in the graphic.


jobsearch