A very nasty virus has recently come to my attention and must be dealt with very carefully.
[alert style=”1″]Skip down the article to see the FAQ if you are in a hurry.[/alert]
I recently got a call from a client that they had gotten their computer infected and asked me to (urgently) come by and have a look. They somehow got a piece of software on their PC called “CryptoLocker” (or Microsoft dubbed “Trojan:Win32/Crilock.A”).
Cryptolocker is being labeled as ransom-ware as it installs on your Windows computer, encrypts (2048-bit encryption) your files with certain file extensions and then displays the ransom that you have to pay $100 – $300 (unconfirmed reports have been as high as $900) to decrypt you files and “release/decrypt”them back to you.
In the past I have seen software display a similar notice; however, it simply made the files & folders hidden instead of actually encrypting them. If you paid the ransom, nothing happened. All your files were still hidden.
However, in this case, and rather surprisingly, if you pay the ransom, your files are decrypted and you have control over them again. According to Symantec, 3% of the people that have gotten this ransom-ware have actually paid the ransom. It also seems that there are a small number of people that while they have paid the ransom have been unable to recover their files because the files were corrupted upon encryption. :( :( :(
WHAT IF I HAVE THIS SOFTWARE?
Sadly. This isn’t good. Some researchers are admitting that paying the ransom may be your best bet to recovering your files. This is up to you. If you computer supports system restore points, then restoring to a previous point in time may be your best bet.
CAN I JUST DELETE THE SOFTWARE?
Simply deleting the software is a very bad idea. As removing the software would remove the public encryption key that was generated for your computer to be matched up with the private key on the hackers sever (given to to you once you pay to decrypt the files). Some people have said that they wanted to reinstall the software into computer to pay the ransom. However, the old public key was removed and this will only create a new public key, which paying it won’t do you any good.
MY TIME RAN OUT, HOW CAN I GET MORE TIME?
You can set your bios time back. Follow these instructions.
I HAVE ANTI-VIRUS SOFTWARE, I AM OKAY, RIGHT?
Not really. A/V software is currently having issues detecting the ransom-ware.
I DON’T HAVE THE SOFTWARE, HOW CAN I PREVENT IT??
Currently virus-protection software engineers are working on a fix. Also the guy over at FoolishIT.com has created a piece of software called “CryptoPrevent” that can help protect you as well. It seems that the virus is being obtained via fake UPS, DHL & USPS emails and the payload is hidden within a ZIP or PDF file. It is also a good idea to be backing up you important files, such as Microsoft documents, images, tax documents, etc. You can do this via an external harddrive or online backup (I recommend Backblaze, it’s what I use).
CAN’T THE FBI TRACK THE PAYMENTS TO CATCH THIS GUY?
Not at the moment. The payment methods that are requested to pay by are anonymous ways of paying: BitCoin, MoneyPak or Ukash
I HAVE A MAC, CAN I GET THIS ON MY MAC?
No. This is only affecting Windows XP, Vista, 7 & 8 users.
On a separate note… Happy Halloween… I hope you get more treats than tricks…