A Virus That Will Ruin Your Holidays: CryptoLocker Locks Your Files and Demands a Ransom — We Have Your Prevention Tips
Imagine trying to open an Excel spreadsheet or Word document you have spent considerable time editing only to discover that it has somehow become encrypted! The same goes for any personal files or photos that you might have stored on your laptop. This is what Windows users all over the world have been experiencing because of a malware (malicious software) infection called CryptoLocker.
What is CryptoLocker?
CryptoLocker is a virus that installs itself into a user's "Documents and Settings" folder using a randomly generated name. It then adds itself to the list of programs in the computer's registry that Windows automatically loads every time a user logs on to his machine.
The virus then insidiously creates server names in the domains trying to make a Web connection to each of these server names in turn until it finds one that responds. Once a server has been found it uploads a small file. A public-private (locks files/unlocks files) key pair unique to your file ID is then generated and the public key part is sent back to your computer.
CryptoLocker then uses this public key to encrypt a wide variety of files types (.doc, .xls, .ppt, .jpg, .eps, .indd, etc.) that it finds anywhere that you have permission to access. This means (TAKE NOTE) the malware searches for files to encrypt on ALL drives and in ALL folders it can access from an infected user's computer. This includes resources on your company servers, and workgroup files shared by your colleagues! In other words, the more privileged the infected user's account, the worse the overall damage could be.
Once the encryption is complete, CryptoLocker launches a pop-up window informing the user they have a limited time (72 - 100 hours) to pay a ransom. If the user pays the amount, typically $100 – 300 USD, the program supposedly provides the private key for the data. If the deadline expires without payment, the key is allegedly destroyed.
The security company, SophosLabs, has been sent a large number of these encrypted files by infected users in hopes that a flaw in the encryption could be found so that files could be unencrypted. To-date, the company's response has been, "As far as we can see, there's no backdoor or shortcut: what the public key has scrambled only the private key can unscramble."
How to Avoid CryptoLocker
There appear to be two main access points of the virus: through email attachments and through botnets.
Email attacks are easier to avoid. Simply be wary of phony emails that look like they're from legitimate businesses, such as the Better Business Bureau or package tracking notifications from FedEx or UPS. In other words, be very careful with attachments that you weren't expecting, and don't open those from people you don't know well or at all.
A botnet is different, and requires a little bit more research on your part. In order to access your computer via a botnet the criminals are banking on the fact that it is already infected with malware. This is because most bots, or zombies, once active on your computer, unfortunately have a general "upgrade" command that allows anyone to update, replace, or add to the malware already on your machine. It may take a little bit of time, but you should make sure to search for and destroy any malware already on your machine. The consequences of not doing so could make your situation even worse.
How to Protect your Machine
This virus should really serve as a general warning — BACK UP YOUR DATA! CryptoLocker is not the only way in which you can lose important files. For example, a thief could steal your laptop, or a cloud service you entrusted your files to could suddenly shut down (remember Lavabit?). The point is, if you are using reliable backup software, on a regular basis, you stand a good chance of recovering your files without much hassle.
Follow these helpful guidelines for better protection:
- Make sure you have reputable anti-virus software installed and update it frequently.
- Install the latest versions of your internet browsers, and make sure to update the add-ons (Java, Adobe, etc.).
- Switch your email service to one with a spam and virus filter (e.g. Google Mail does not allow sending or receiving executable files as attachments).
- Be careful when clicking on ads.
- Don't open attachments or click on Twitter links from people you don't know; and even be wary of opening attachments even from people you trust because they may unintentionally be forwarding you a virus.
- Don't visit adult or other disreputable Web sites – they are notorious for malware.
- And lastly, use reliable backup and disaster recovery software, like UltraBac Software's UBDR Gold, to back up your data!
UBDR Gold can be used to perform these important protection measures:
- Perform regular image backups. If CryptoLocker infects protected partitions, you can recover them from a recent backup to clear the infection and then recover all data partitions to defeat the ransom attempt.
- Keep your operating system safe. Use UBDR Gold to image your operating system BEFORE installing patches and system updates so that you can easily restore the OS if this action destabilizes your server or makes it unbootable.
- Keep copies of the backup in a safe location, preferably offline and off-site. The UltraBac Ultimate Bundle provides the best all around protection for your business. The product combines the standard backups of UltraBac with UBDR Gold disaster recovery. This provides quick file-by-file or bare metal restores at your fingertips. Extra features abound including the ability to perform dissimilar hardware restores and virtual recoveries.
- Consider using UltraCopy to easily create duplicate backup copies. The utility can copy disk backups to inexpensive tape for off-site storage. Tapes have their own index for direct restore capability (without requiring a restore to disk first!). UltraCopy can also concatenate multiple disk backups to a single backup for centralized storage on a SAN/NAS device or even off-site using UltraBac's FTP/SFTP Device.
Be Aware – services that automatically synchronize or replicate your data changes with other servers, for example in the cloud, don't really count as backup. Such services have a purpose, but they can also propagate errors rather than defend against them. For example, a document on your local drive that has just been encrypted by CryptoLocker will have these changes uploaded to the cloud so that both the original and the cloud copy are compromised. The only way to recover the document without paying the ransom would be if you had a point-in-time backup of the file that was stored off-line or otherwise made unavailable so the virus did not have access rights through your logon!
Learn more about how to specifically protect your data by calling UltraBac Software toll free at 1-866-554-8562 or 425-644-6000 and asking to speak with the expert representative who services your area.