File-trashing Cryptolocker PC malware

Old Man · 16 Nov 2013 at 13:11

Another nasty to watch out for:

"The infamous Cryptolocker malware, which encrypts your computer files and demands a payment of £534 ($860) to unlock them, may have been sent to "tens of millions" of Brits, Blighty's crime-busters warned today."

http://www.theregister.co.uk/2013/11/15/cryptolocker_menace_triggers_nca_alert/

Nate--IRL-- · 16 Nov 2013 at 13:42

That's a really nasty one.

Nate

Housey · 16 Nov 2013 at 13:50

Yes, really nasty this one. A gent I know was hit by this and his backups were found wanting so he was forced to pay up.

Abraxaz1 · 16 Nov 2013 at 13:57

One of the many reasons why I converted my mum to linux

V-Spec · 16 Nov 2013 at 13:58

rofl yeah,

this is one of the worst things going around at the moment, I know of someone who was stupid enough to open an email attachment containing an exe disguised as a .pdf, it encrypted their entire network share and the company had to pay $300..

Destination · 16 Nov 2013 at 14:12

V-Spec said:
rofl yeah,

this is one of the worst things going around at the moment, I know of someone who was stupid enough to open an email attachment containing an exe disguised as a .pdf, it encrypted their entire network share and the company had to pay $300..

You knew someone working for a departmentalised company who was 'stupid' enough to open a pdf they were sent on their work email within the companies email system?

There isn't much stupid going on there, I'd say 95% of users would do that, and the other 5% were too lazy to get round to it yet.

V-Spec · 16 Nov 2013 at 14:31

Hikari Kisugi said:
You knew someone working for a departmentalised company who was 'stupid' enough to open a pdf they were sent on their work email within the companies email system?

There isn't much stupid going on there, I'd say 95% of users would do that, and the other 5% were too lazy to get round to it yet.

Opening any attachment from someone you don't recognize, or are expecting is stupid, no excuses.

Caged · 16 Nov 2013 at 15:01

It's the companys fault for not having backups they could restore from.

Cryptolocker should hopefully shock those of you who don't backup your files into doing something. Cryptolocker can hit any files that your user account has permission to write to - so a Windows 8 File History on a NAS or an external drive, or a Shadow Copy isn't enough to ensure you can get your stuff back without paying the ransom (although if you are hit the general consensus seems to be that paying the ransom does decrypt your stuff, I'm sure we could all do without the $300 bill). Having your data on a RAID1 array is also not a backup.

You need backup that is removed from your PC - so either an external drive that you back up to once a day and then disconnect, or an online backup system that keeps previous versions of files so you can restore even if some of the encrypted files get backed up. There are loads of providers that offer this and it's normally no more than $5 a month.

And if you're acting a bit smug because you have backups in place, now is the time to do a test restore to make sure you have all the encryption keys or passwords that you need to get your data back.

Caged · 16 Nov 2013 at 15:14

And for those of you looking after Windows networks, please use Group Policy to turn off the stupid default of hiding file extensions.

areksnumbr1sxylady · 16 Nov 2013 at 17:09

Kaspersky would make mashed potato out of this.

thecremeegg · 16 Nov 2013 at 17:43

We had this at work, got everything on the network drive. Thank god for backups!

Rroff · 16 Nov 2013 at 17:46

thecremeegg said:
We had this at work, got everything on the network drive. Thank god for backups!

This is why I do regular "snapshot" backups from my NAS to external storage thats never connected directly to a PC or shared on the network with write capabilities :S

Hxc · 16 Nov 2013 at 17:50

Lazder said:
Kaspersky would make mashed potato out of this.

http://forum.kaspersky.com/index.php?showtopic=273487

Not so, seemingly.

the_candyman · 16 Nov 2013 at 18:41

One of my company's clients got it and not only did the thing encrypt the local computer, but was found working through the network shares and ultimately encrypted their entire shared drive... Backup restored as nothing could be done.

dfarrall · 16 Nov 2013 at 19:44

Lazder said:
Kaspersky would make mashed potato out of this.

No amount of AV will help you once you have it.

Glanza · 16 Nov 2013 at 19:49

Really nasty piece of work this one, we've had a few customers get it that required their data so had to pay it to get the data back.

Caged · 16 Nov 2013 at 19:50

AV can make things worse. If you 'clean' the virus whilst your files are still encrypted then there is no chance of getting your stuff back since it deletes any reference to what private key is needed to decrypt your files.

sigma · 16 Nov 2013 at 19:55

As dodgy/nasty as it is, I have to say, it's pretty impressive :eek:

Is a dodgy link the main (only?) way that computers are getting infected?

qqg3 · 16 Nov 2013 at 20:41

sigma said:
As dodgy/nasty as it is, I have to say, it's pretty impressive

Is a dodgy link the main (only?) way that computers are getting infected?

You could potentially be part of collateral damage, eg. it can spread through locally networked devices.

kaiowas · 16 Nov 2013 at 20:42

Caged said:
AV can make things worse. If you 'clean' the virus whilst your files are still encrypted then there is no chance of getting your stuff back since it deletes any reference to what private key is needed to decrypt your files.

Any decent AV should be catching this on the original inbound email long before it's had a chance to encrypt anything