Cryptolocker is a new ‘ransomware’ type of virus, with serious consequences for business users in particular. When it infects your system, it will ‘encrypt’ every document that it can see from your PC, including network drives from servers etc. These files cannot then be opened normally, without breaking the encryption.
The message which appears on-screen demands payment in order to provide the ‘encryption key’ to unlock your files – initially it was $100, but on a copy we saw lately, this has risen to $300.
The problem with this virus is that, because it is so new, and because it uses encryption techniques, you may have a problem with your data. The virus itself is easily removed, but the files cannot be unencrypted without the correct ‘encryption key’ or sending them to a data specialist to have the encryption broken.
How to remove the Cryptolocker Virus itself
The virus can simply be removed, but beware this will leave you locked out of your documents, even when completely removed. To remove the virus, you have many options:
- Try a System Restore, then once back into Windows, update and run a full scan using your current Anti-Virus application.
- Boot up in ‘Safe Mode with Networking‘, download a copy of Malwarebytes Free Edition, update and run a full scan using this.
- Boot from something like a Kaspersky Rescue Disk and run a scan from there.
Full instructions can be found on these other useful sites:
- Precise Security – Instructions for Removing the Cryptolocker Virus
- Enigma Software – Instructions for Removing the Cryptolocker virus
- Bleeping Computer – Forum Discussion about the Cryptolocker Virus
How to gain access to the encrypted files
This is a serious problem, and there are no simple answers. Encryption is performed using a ‘key’ which is then offered to you by the scammers themselves. Breaking this encryption key is a specialist task, and not one a normal computer-repair store can perform. Prevention is always much better than the cure with this virus.
Your options are:
- Pay the criminals, and they will release your files. The only problem with this is that you may be marked by them as someone who pays and be targetted specifically next time, or they may leave a backdoor to gain access to your files again, thereby reinfecting you.
- Send your files to a Data Specialist – there are companies who specialise in the breaking of encryption, etc. This service will be expensive, but may be inside the budget of some business users with critical data files.
- DR Web offer a service whereby they will try to break the encryption for their customers. You will need to become a customer, if you are not already, and then submit some of your files to them so that they can work on cracking the encryption key. This has had some success with infected users, but the sheer number of requests mean that DR Web might take a little time to perform, and they have strictly limited this service to their own customers.
I know of one user who paid the criminals ($100 at that stage, it’s jumped to $300 quite quickly) and they have got their files back. They initially had to wait 48 hours before getting a response, but within a week, all their files were accessible again. They have taken measures to safeguard against re-infection, and have set up a much more enhanced off-site backup service, so they have paid a small price for the wake-up call they have received about the importance of their data to their daily business running. Only time will tell if they suffer any further attacks as a result of caving into the scammers.
I have also had a user who has had to forgo their documents (all MS Word and Excel spreadsheets), because they correctly refused to pay the scammers, and had no route to unencrypt their files – they are simply hoping that someone releases a tool to repair their files in the near future.
So, all in all, this is a particularly nasty virus, and can wreak havoc on poorly protected business users in particular. The only way to ensure you don’t fall foul of this virus, or any derivatives is to ensure you have your PC fully protected, have a sensible backup plan in operation, and do not fall for the scam emails or website advertisements which so many unsuspectingly click on or open.
Protecting yourself against this virus
This virus is becoming widely available, and PC’s are being infected via email, and via infected web sites. To limit your potential exposure to this virus, ensure that all personal type of internet browsing (eg Gambling, Online Shopping, Hobby-type of Sites, Video downloading/streaming, etc) is limited on your office machines – if you must allow staff free internet access, ensure it is through their own smartphone, or have an old PC set up which is kept protected from your important office network files, with limited internet access.
Simple things you should ensure:
Do not click on any attachments or links in emails, unless you are totally sure where it came from. There are many emails purporting to be from HSBC, RBS, eBay, Paypal, UPS, Facebook, Linkedin, Land Registry, Companies House, etc – all of which are simply trying to either phish information from you, or infect your PC.
Do not allow general internet surfing on main office computers by staff – we have many business users with staff on the premises outside normal office hours, and have found their internet use to sometimes cause a problem.
Ensure you take proper backups of your important files. There are many backup options available, but we should stress that you need to either use the Cloud (online) or something which is external to your PC, to avoid cross-infection. A proper backup procedure is essential, as backing up the encrypted files will not help at all.
Always keep your Anti-Virus package up to date, and run regular scans. If you have your scans scheduled to run a quick scan once per week, this is not enough – change the settings, run a scan daily, and ensure the Full Scan is run periodically.
It might also be worth adding an extra tool and running periodical manual scans – something like Malwarebytes Free Edition would suffice. This handy tool does not sit resident on your PC, so it will not interfere with your normal Anti-Virus package, but it is well worth having on your machine and running a manual Full scan from time to time.
Nothing will protect you like a proper BACKUP PROCEDURE, and this should be set up in such a way as to ensure that you have more than one backup taken (using the grandfather, father, son type of procedure), the backups are held off your main network/devices, and that these are taken regularly automatically. You need to have your backup procedure set up so that there are sufficient copies held separately to ensure that you have not backed up the encrypted files, and can restore a clean copy of your data.
We offer a free Computer Audit of any Northern Ireland business premises, where we will call and assess your current computing infrastructure, giving a report into what direction this should be taking for present security/performance and future-proofing to ensure value for money on any further spend.