Cryptolocker Ransomware: What You Need To Know

Antivirus companies have discovered new ransomware known as Cryptolocker.

This ransomware is particularly nasty because infected users are in danger of losing their files forever.

cryptolocker

Spread through email attachments, this ransomware has been seen targeting companies through phishing attacks.

Cryptolocker will encrypt users’ files using asymmetric encryption, which requires both a public and private key.

The public key is used to encrypt and verify data, while private key is used for decryption, each the inverse of the other.

Below is an image from Microsoft depicting the process of asymmetric encryption.

assemcrypto

The bad news is decryption is impossible unless a user has the private key stored on the cybercriminals’ server.

Currently, infected users are instructed to pay $300 USD to receive this private key.

Infected users also have a time limit to send the payment. If this time elapses, the private key is destroyed, and your files may be lost forever.

Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:
3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files. The folks at BleepingComputer have some additional insight on this found here.

Removal:

Although CryptoLocker itself is readily removed, files remain encrypted in a way which researchers have considered infeasible to break.   Payment often, but not always, has been followed by files being decrypted.

Prevention:

New Orleans Technology Services has already installed a plug-in on each user workstation that will help prevent Crypto Locker from accessing user files once downloaded but we cannot guarantee the virus will not be successful.

The biggest defense may also be the easiest to apply.  If you get an email from somebody you do not know, especially if it’s got attachments, don’t open anything with it, just delete the email.  If you don’t know who is sending that email or if the subject is foreign to you, simply click delete.
Additionally, Google Mail, Google Apps for Business and Microsoft Hosted Exchange Services are currently blocking emails that contains the virus.  Unfortunately free services like Yahoo, AOL, and other free email hosting services included with Wed Site hosting like JustHost, BlueHost and HostGator are not.    If your organization uses or allows access to email not blocking the virus, you should consider this virus to be extremely high risk.