Translate

Friday, September 13, 2013

More info on CryptoLocker Ransomware.

If you or someone you know has been infected with this, you might already know. But there is a new piece of ransomware making the rounds on the internet. It is called CryptoLocker.

To remove it is simple. Simply follow the removal guide that is in the last blog post. But the hard part is figuring out how to decrypt the files that it actually does encrypt. So, actual removal of the malicious files and registry entries is only half of the battle.

Before we go into the possibilities for decryption, the main thing to take from this blog post is that the ransomware seems to be spreading via an email attachment. Look out for files in emails that have file name extensions such as .doc.exe or .doc.scr. If there is something more then .doc, (or whatever the file is) it is possible that it may be the ransomware.

My advice is that you do not download attachments coming from an email that match the criteria above. Especially if the file name includes .zip. And if the file comes from FedEx, UPS, or any agency that claims you have a package waiting, delete the email without downloading the attachment. If you are actually expecting a package, call the agency and ask. Do not trust an email.

Now, as for decryption: The ransomware uses 2048-bit RSA encryption and a public and private AES 256 key to encrypt your files. Translation: Whoever wrote this ransomware did not cut any corners when it came to decryption. He or she wanted to make it extremely difficult to decrypt the files affected. These files include documents, excel spreadsheets, powerpoint presentations, PDF files, and photos.

The best way to combat this is offline backups of the affected files which you needed to make prior to infection. But there has been limited success with using System Restore and File Restore on newer versions of Windows (Newer then XP.)

And please note that as a very last resort only, paying the ransom does seem to work.

Never thought that I would say that paying is a viable option? Well sometimes the malware wins. Sometimes the writer is clever enough so that he wins a round. And I only recommend paying the ransom as a last resort when all other possibilities have been exhausted. And then only when you absolutely need the files. Because if you pay, you can't really know just what it is you are funding.

I recommend that whoever has exhausted all other options hold off on paying the ransom as long as possible.

Other then the above, there is no currently known way as of this writing to get the files back. However, TrendMicro says that they are currently working on a decryption tool, so we will see where that goes.

As the ransomware needs to be downloaded and executed for the effect to take place, I recommend not opening any files downloaded from the internet (including email) until said file has been scanned with your antivirus software. As most antivirus software have definitions for the ransomware, it should give you a reasonable chance of avoiding this ransomware.

I predict that this type of ransomware is the new breed of moneymaker for malware writers. And because making decryption tools takes some time, (at least a few days after discovery) it is not wise to count on ways of decryption.

I recommend offline backups of your important files to ensure that you are prepared should you ever be hit with encrypting ransomware. You can create offline backups without any special software. All you really need is a flash drive which can store a sizable amount of files, or if you work with a very large volume of files, an external hard drive.

These options are not expensive. You can get a Terabyte of storage for for somewhere in the neighborhood of $50.

Thank you for reading. I invite readers to comment with any questions or comments.

----------------------------------------------------------------------------------------------------------------------------------------------------
Update: Friday, 13 September 2013 21:00 CST.
A way to restore files to previous versions has been uncovered. This helps for the following versions of Windows:

Windows Vista Business Edition.

Windows Vista Ultimate Edition.

All Editions of Windows 7.

These versions of Windows have a feature which allows you to restore previous versions of files. This is enabled by default. Microsoft just does not provide an interface for it. A freeware program called Shadow Explorer allows you to restore these previous versions of the affected files. I'm not going to put a link up, but you can Google it and it will be easy to find.

In Windows 8, the feature is called File History. It is disabled by default, which means that if you are not infected with this, you need to enable it.

Follow the following guides on setting up File History:

http://windows.microsoft.com/en-us/windows-8/how-use-file-history

http://windows.microsoft.com/en-us/windows-8/set-drive-file-history

Stay tuned to this blog for further breaking news on the CryptoLocker ransomware. If this works in all cases, we might have won.
Posted by at
Labels: ,

2 comments:

  1. AnonymousSeptember 23, 2013 at 9:02 PM

    Hi Hunter -I was hit with it today and the question I have is if all my files are on an external hard drive prior to getting the FEDEX email and the PC becoming infected is it safe to plug the external hard drive into my lap top??

    ReplyDelete
    Replies
    1. HSeptember 23, 2013 at 9:15 PM

      Yeah, it is most likely safe to plug the external hard drive in. Though I would advise you to remove the ransomware before you do so.

      You can check out my removal guide here: http://malwareaware.blogspot.com/2013/09/how-to-remove-cryptolocker-ransomware.html

      Delete

Subscribe to: Post Comments (Atom)