It can happen in an instant. You click on an attachment from Granny and the next thing you know you are watching your files getting locked up before your eyes. Then an important-looking message pops up on your desktop demanding you pay a substantial fee to a group you’ve never heard of using a online payment method. They make it clear – pay now or you’ll never see the precious photos of your Chihuahuas again.
You sit in shocked silence. You then do everything you can think of to get a look at your data. No luck. There don’t seem to be many options. Cryptolocker is holding your data ransom.
Cryptolocker, and it’s cousin CryptoWall, are malicious Trojan virus programs, also called “ransomware”, that take your data files hostage by encrypting the data stored in the file. The encryption process rewrites your files in a way that prevents them from being opened normally. In order to open an encrypted file, the file must be opened or unlocked using a type of encryption that is virtually impossible to break if you don’t know or have the “secret key”— which in the case of Cryptolocker and CryptoWall will only be provided by the malware’s operators, if you pay a ransom for your data.
These viruses usually target Microsoft Windows computers and were first seen in the wild in September 2013. There have been instances in which this kind of phishing scams have targeted Android phones and Mac users, so no one is totally safe. Always remember to follow safe browsing practices to protect your identity.
The most common way we see computers become infected is when our clients open infected files attached to an email they receive. The virus itself can be removed, but the files will remain encrypted. There is no simple solution to un-encrypting those files. A user may choose to:
- Pay the ransom [which does not always lead to the files being decrypted],
- Restore the files from good backups, [if you have them], or
- Try data-recovery options [generally very expensive and also not guaranteed].
Recently, the CryptoLocker 1 virus was isolated and, in late May 2014, Operation Tovar took down the Gameover ZeuS botnet that had been used to distribute the malware. In addition, security firms FireEye and Fox-IT have managed to recover the encryption keys used by CryptoLocker’s authors. These groups have set up a private website that will allow victims to test an encrypted file to see if the security outfits have isolated a key that will let victims decrypt their files. Unfortunately, experts have identified at least 3 versions of CryptoLocker and 2 versions of CryptoWall in circulation. Fireeye warns that some data may not be recoverable using their portal, especially if a victim’s machine is infected with a variant of the virus and not the CryptoLocker virus itself.
We recommend develop a strong anti-malware strategy to prevent contracting the Cryptolocker or similar virus. The strategy should include all of the following steps:
- Use safe browsing practices,
- Buy and install a quality triple protection antivirus/antispyware/antiphishing program (covering Windows, Mac and Android machines) to help prevent infection, and
- Make regular backups of your files so you can restore your data from backup should you become a victim of this kind of malware infection.
If any of your machines have been infected by Cryptolocker or similar malware, we’re here to help. We have Agents standing by available to chat if you need help immediately, or look into our Tech Support service plan so you are ready if the worst happens.
Agent Kate B is a 3-year veteran of Geek Squad, currently on assignment at Geek Squad City. Follow Agent Kate on Twitter @AgentKateB.