The threat involves an e-mail attachment that, if opened, will evade most anti-virus and anti-spyware software and encrypt data on your individual computer and your network, making the data inaccessible. Please inform everyone to be extra vigilant about not opening attachments from questionable sources.
The delivery is clever and very malicious.
CryptoLocker is known to be spreading via three methods:
- Attached to emails which pretend to be customer support related issues from FedEx, UPS, DHS, etc. When opened, the attachment will infect the computer.
- Via exploit kits located on hacked web sites which exploit security vulnerabilities on your computer to install the infection
- Through Trojans which pretend to be programs required to view online videos
You should NOT open any attachment you are not 100% confident is safe or click any unexpected or suspicious links sent to you from others. These messages should be deleted immediately if received.
What happens if you become infected with CryptoLocker?
When the infection becomes active on your computer, it scans your local and networked drives for documents, pictures, and other commonly used file types. It encrypts the files with a mix of RSA & AES encryption and hides the key.
Once all of your data has been encrypted by the virus (both on your machine and any server or other machine you have access to), it displays a screen titled CryptoLocker that contains a ransom note on how to decrypt your files. Depending on the version, the ransom is usually $100 or $300 USD and payment can be made via several methods. The program also displays a countdown stating that you need to pay the ransom with 72 hours and failure to do so will cause the decryption tool to be deleted from your computer, making your data completely inaccessible.
However, please note we cannot advise whether you should pay the ransom fee or not; reports on the internet are this does not always unlock your files. Additionally, paying the ransom fee provides personal information to the hijackers which may result in additional problems as well as get your name on a known “good target” list. The key to avoiding having to pay this extortion fee is following safe computing rules and always having a good backup in place. If two machines become infected, then your data will be doubly encrypted and the chance of unencrypting the data is near zero.
Unfortunately, at this time there is no other way to retrieve the encryption key. Using a brute force method to obtain the encryption key is not realistic due to its length and complexity and thus the length of time required to break the key is long. Any decryption tools which have been released thus far from various companies will not work with this infection. The only current solution after becoming infected is to restore your files from a backup, Windows System Restore, or through Shadow Volume copies.
How do I prevent infection?
Updates are continually being released to antivirus software, spam filters and other network defenses to try to keep this threat at bay, but users are the last line of defense. Please help by educating your employees and coworkers! When in doubt, be safe and delete suspicious emails. Call the sender if you think it may have been something legitimate that requires your attention.
Again, the key to recovering from this malware (if a network machine becomes infected) is having good and recent backups of all data. Please do not hesitate to let us know how we can assist in making sure your data is backed up on your workstations and servers.