In early September 2013, several antivirus and information security companies began receiving reports of a new piece of malware that was spreading across the net quickly. Called CryptoLocker, this virus belonged to the group of malware called "ransomware." It threatens to hijack your computer or data and hold it for ransom unless a payment is made to the creators of the virus. While this type of malware has always been fairly common, with plenty of examples espousing fake messages from the Federal Bureau of Investigation (FBI) or the CIA or the NSA, CryptoLocker stood apart because of its ability to follow through on the promise of making your files completely inaccessible unless the ransom was paid.
What makes CryptoLocker different than most older ransomware malware is the use of asymmetric key cryptography. This form of encryption, long the gold standard for most common encryption applications, uses a key-pair composed of a public key and a private key. The public key is used to encrypt the data, while the private one decrypts it. CryptoLocker uses a public key generated from a unique ID to encrypt all files on your computer that end in popularly used extensions, including images, PDF files, documents, and many others.
What Does CryptoLocker Do and Why Is It Effective?
Once the files are encrypted, the malware opens a pop-up informing users that they have a set amount of time (usually between 72 and 100 hours) in order to transfer $300 USD to the people responsible or else the private key needed to decrypt their files will be destroyed. One more noticeable difference between CryptoLocker and other ransomware is that all reports indicate that paying the ransom WILL actually decrypt your files. According to BleepingComputer, at least some people infected with CryptoLocker have been able to recover all of their data, though success is not guaranteed, and prevention is still far preferable.
The virus is so effective because of the encryption used. The basic encryption mechanism, RSA public key encryption, was developed by three MIT graduate students over 30 years ago, and has stood up to be virtually uncrackable since then. Computer experts point out that if you have been hit by CryptoLocker and were unable or unwilling to pay the ransom, you can consider your computer as good as having been dropped off a bridge. In fact, the only possible group able to break through the encryption would be the National Security Agency (NSA), either through brute force or through the back doors they are alleged to have inserted into the RSA algorithm. Short of an intervention by the NSA, however, you can consider infected computers to be effectively dead.
How Does CryptoLocker Spread?
The virus is currently spread through three main methods. First, and most common, is through the use of infected email attachments, often masquerading as tracking notifications from shipping companies like FedEx or UPS. More than ever, we urge our readers to not open any attachments that they were not specifically waiting for or expecting.
The second most common attack vector is through botnet software already in existence on infected machines. Tens of thousands of machines are infected with software that allows hackers to control them remotely. These computers, known as "zombies", may not exhibit any signs of being compromised, but still have the ability to download additional malware modules like CryptoLocker.
Finally, the third most common entry is a "drive-by download". These unauthorized downloads take advantage of vulnerabilities in outdated browsers to install code from a compromised web page directly on to your computer without giving you the option to decline the download, or even without making you aware of the download.
How Can You Protect Yourself?
Protecting yourself from the CryptoLocker malware can best be broken down into two sections—recovery and prevention.
Short of a very long time with a super-computer, recovering files encrypted with CryptoLocker is impossible. The malware itself, however, is fairly simple to identify and remove. If you are infected with the CryptoLocker virus, you should:
- Consider paying the ransom if the data is worth it and you do not have a backup. Be incredibly careful not to give out any personal details or credit card information.
- Remove the infection. Most common antivirus solutions should have no difficulty locating and clearing it. This is important to do before backing up your data, because if you don’t, any data you recover will also be at risk for encryption.
- Format your computer drive. It is difficult to say what other malware may have been introduced through CryptoLocker, or if your PC was otherwise compromised. Since the files are useless anyway, wipe everything and start from scratch.
- Restore from backup if possible. Some victims of the malware have reported that it may be possible to recover with a "system restore" from "shadow files" that Windows creates.
- Don’t count on network drives or other connected media—many people infected with CryptoLocker have reported that the malware is capable of jumping across your network to networked drives.
If you opt to pay the ransom, make sure you know how to pay the random fee. Payment can only be made either with Bitcoin (a new form of electronic anonymous currency) or with green.MoneyPak prepaid cards.
The best defense against any malware is to avoid getting it. While this may sound difficult, it is actually a fairly straightforward process.
- Make sure that you are using antivirus or antimalware software. Don’t remove it, don’t disable it, and keep the malware definitions up to date. Make sure your antivirus solution has a proactive malware prevention mode.
- Keep all software up to date. This includes your copy of Windows, any web browsers you may use to access the internet, and any other software that communicates via a network.
- Avoid suspicious attachments, emails, and websites. While it can be incredibly difficult to spot a really good forgery or a legitimate site that had been compromised, you should do your best to avoid putting yourself in danger. Don’t open emails you don’t trust, don’t download attachments that you weren’t expecting, and stay away from shifty sites.
- Back up your files. You should have at least one, and preferably two, backup solutions. The first should be a cloud-based solution that backs up daily and can be accessed from anywhere. The second is recommended to be an external hard drive that you back up to at least once a month or once a week, but that isn’t permanently connected to your network.
Contact us and we will do an assessment of your network to check for vulnerabilities. This is one virus that could be very damaging to your organization and is not something to sleep on.