The best of the bad. CryptoLocker warning.

[treitz3]

CryptoLocker is a new and nasty piece of malicious software is infecting computers around the world that appeared the last week of September – encrypting important files and demanding a ransom to unlock them.

According to Sophos, the worldwide digital security company, it’s been hitting pretty hard for the past six weeks or so.

“It systematically hunts down every one of your personal files – documents, databases, spreadsheets, photos, videos and music collections – and encrypts them with military-grade encryption and only the crooks can open it,” said Chester Wisniewski, a senior security advisor at Sophos.

Even though it’s infected, your computer keeps working normally; you just can’t access any of your personal files. It’s scary, especially if you haven’t backed-up your data.

CyrptoLocker is different from other types of “ransomware” that have been around for many years now that freeze your computer and demand payment. They can usually be removed which restores access to your files and documents.

Not CryptoLocker – it encrypts your files. There’s only one decryption key and the bad guys have that on their server. Unless you pay the ransom – within three days, that key will be destroyed. And as the message from the extorters says; “After that, nobody and never will be able to restore files…”

The typical extortion payment is $300 USD or 300 EUR paid by Green Dot MoneyPak, or for the more tech savvy, two Bitcoins, currently worth about $400.

To instill a sense of urgency, a digital clock on the screen counts down from 72 hours to show much time is left before that unique decryption key is destroyed.

This sophisticated malware is delivered the old-fashioned way – an executable file hidden inside an attachment that looks like an ordinary ZIP file or PDF. One small business reports being compromised after clicking on an email attachment that was designed to look like a shipping invoice from the U.S. Postal Service.

Open that file and bad things start to happen, although it may take several days for the ransom demand to pop up on your screen after the machine is infected.

“The author or this (malware) is a genius. Evil genius, but genius nonetheless,” an IT professional commented in an online tech forum. Another wrote, “This thing is nasty and has the potential to do enormous amounts of damage worldwide.”

Good anti-virus software can remove the CryptoLocker malware from your computer, but it cannot undo the damage – the encryption is that good.

“It’s the same type of encryption used in the commercial sector that’s approved by the federal government,” Wisniewski told me. “If the crooks delete that encryption key, your files are gone forever – even the NSA can’t bring them back.”

If you have a recent backup, you can recover from CryptoLocker and other malware with no serious consequences. That backup should be a snapshot of everything on the system and not a simple synchronization, as happens with most automated external hard drives and many cloud-based services.

With these synchronized backups, stored files that have changed on the master drive are overwritten with the new ones. If a malicious program encrypts your master files, those backups would also be encrypted – and useless. Your backup should be disconnected from your computer until the next time you need to access it.

Just an FYI to those who may not yet know about it.

http://www.snopes.com/computer/virus/cryptolocker.asp

Tom

 

[amirm]

That's a nasty thing to be sure. The article though, has some hyperbole in it: "Good anti-virus software can remove the CryptoLocker malware from your computer, but it cannot undo the damage – the encryption is that good." Anti-virus has no function related to decrypting content so saying it can't do anything about it, is not a sign that the encryption is sophisticated.

 

[mep]

That's a nasty thing to be sure. The article though, has some hyperbole in it: "Good anti-virus software can remove the CryptoLocker malware from your computer, but it cannot undo the damage – the encryption is that good." Anti-virus has no function related to decrypting content so saying it can't do anything about it, is not a sign that the encryption is sophisticated.

Amir-The statement you quoted is not hyperbole, but in reality just ignorance for the reason you stated (Anti-virus has no function related to decrypting content).

 

[amirm]

THat was just an example Mark. All the verbiage regarding "military strength" cryptography is nonsense/exaggeration too. Encryption technology has long been standardized (e.g. AES) and the strength of it depends on the key length. Everyone (in the west at least) has full access to it.

 

[mep]

THat was just an example Mark. All the verbiage regarding "military strength" cryptography is nonsense/exaggeration too. Encryption technology has long been standardized (e.g. AES) and the strength of it depends on the key length. Everyone (in the west at least) has full access to it.

I agree Amir. However, I do think the author has no background in computers or software and he is really out of his league when he is writing about both. That's why I called it ignorance and not hyperbole. The author is not selling something and using hyperbole to push his wares. He is trying to tell a story about something he has no real understanding of. At least that is how I see it.

 

[treitz3]

Good evening gentlemen. So how easy would it be to get one's files and photos back if this malware made its way into a computer, computer system or cloud? I am completely in the dark and to be honest, you might just want to consider me a computer toddler who can't even crawl yet. That's about how much I know about computers. What would the "normal public" do if they got infected with this besides remove the malware?

Tom

 

[amirm]

As a consumer you are out of luck completely. Once it encrypts your files, without the key you can't unlock them and no (ordinary) person can help you get there either. Run an anti-virus program at all times and keep a back up as the article suggests. The best advice of course is avoidance: do not open enclosures that are not from someone you know. This can be hard sometimes and hence the other recommendations.

 

[edorr]

I spoke about this one with my tech support guy. The malware will also encrypt connected drives. If your backup is stored on say a connected USB storage drive, it will encrypt that as well, in which case your are complete and utterly screwed.

I now disconnect my backup drive after backup has been completed. It will also encrypt shared drives on the company network. This one should scare the **** out of everyone.

The good news is apparently if you just pay up the $300 or so bucks you will get the encryption key. The guys doing this are raking it in like there is no tomorrow.

 

[treitz3]

Hello edorr. I'm not so worried about the personal things, it's the business end of things that worry me. There would be immediate, short term and long term damage along with the downtime and costs associated to straighten it all out. After being made aware of this malware, I immediately disconnected the synchronized external backup hard drive. I knew I would be safe doing that but I was wondering that there is no reason to do this. If the malware doesn't show up or show any signs for days, as soon as one plugs the external hard drive back in to update current documents/photos, the malware is installed on that as well. Just like you never unplugged it to begin with.

I will still leave it unplugged and run a full computer/malware sweep prior to plugging it back in again. Hopefully this will prevent this malware from disrupting this household and businesses.

Tom

 

[edorr]

Hello edorr. I'm not so worried about the personal things, it's the business end of things that worry me. There would be immediate, short term and long term damage along with the downtime and costs associated to straighten it all out. After being made aware of this malware, I immediately disconnected the synchronized external backup hard drive. I knew I would be safe doing that but I was wondering that there is no reason to do this. If the malware doesn't show up or show any signs for days, as soon as one plugs the external hard drive back in to update current documents/photos, the malware is installed on that as well. Just like you never unplugged it to begin with.

I will still leave it unplugged and run a full computer/malware sweep prior to plugging it back in again. Hopefully this will prevent this malware from disrupting this household and businesses.

Tom

Business should be worried, because anyone infected that is connected to shared company network drives can start encrypting data on these drives. However, it is not as bad as you suggest. The malware is an app that runs on a machine with CPU - it is not a virus that "replicates" to a connected storage drive. So when the drive is disconnected nothing happens to the data on the drive, even if has been connected to an "infected" machine previously.