New Threat On The Block

I know many of us run Windows and perhaps have home networks, etc etc. I also figure that a few of you have at least one important document that may not be backed up. There is a “new” nasty virus out in the wild, called Cryptolocker.

What is it?

This virus seems to spread via email and is a Windows (for now) executable file that you have to run on your computer. Once this happens, this virus starts to encrypt all of your documents (a fairly complete list is in the link below) with a VERY secure key. It can also encrypt all document files of other users on the system if the account that it is running as is an Administrator user. It will also try to encrypt all files it finds on mapped network drives.

After this is finished (and you don’t get a helpful pop-up saying it’s doing this BTW) it will prompt you to pay a certain amount (I think it is 300$ USD or something) for the decryption key and it will start a timer count down. If you don’t pay up by the time the counter hits 0, it will remove itself and any possibility of recovering your files (it keeps the key that is required to decrypt your files on a random remote server).

How do I prevent being bitten by this thing?

Funny enough, the solution is rather simple: back-up your data to an offline location (external hard disk for example). Do not use a “cloud”-based online backup solution as they will typically over-write your good files with the encrypted versions. So avoid a disk imaging style back-up; this will just result in you backing up your encrypted files before you know you have the virus.

What do I do if I get it?

No, that anti-virus software isn’t all that useful (at least not yet) since many (if not all) AV software vendors have yet to update their software to protect against this virus. The only way to get your data back for the moment is to pay the ransom. If you DO get hit with this thing and you intend to pay the ransom:

  • DO NOT MOVE OR TOUCH ANY OF THE ENCRYPTED FILES; otherwise even with the key the virus will not be able to decrypt your files;
  • DO NOT install or update your anti-virus software; the current few that recognize this virus will simply remove it, along with the key that you would need to decrypt your files and any chance of you getting your data back.

If you would like more detailed (read: technical) information, please have a look at this thread:

http://www.reddit.com/r/sysadmin/comments/1mizfx/proper_care_feeding_of_your_cryptolocker/