NewsOld‎ > ‎

WARNING: Virus - Cryptolocker Ransomware

posted Sep 30, 2013, 9:01 AM by Andrew Clements   [ updated Sep 30, 2013, 9:06 AM ]
Hi Everybody,

It has become apparent that a virus is currently in circulation which is causing huge problems for organisations large and small. There is currently no official protection against this virus, the best form of protection is to ensure that you regularly backup all of your data multiple times and at least 1 version of your backup data should be completely disconnected from all computers and remain in storage.

What is it?
Cryptolocker is the most recent version of a virus that infects your computer and starts to secretly encrypt your files. It does not make itself known until the files are fully encrypted and it is undetectable by many kinds of anti-virus software. Once the process is complete, the virus activates and requests that you send an amount of money to unlock your files.

Will my anti-virus delete it?
It is possible to remove the virus but if your files have been encrypted the only way to decrypt the files is to pay the 'ransom' for the unlock code. Most anti-virus software is ineffective against this particular virus and will be disabled, in some cases the virus can be deleted, but the files will remain encrypted, at which point you will be forced to re-infect your computer to allow for payment/decryption.

How is the virus spread?
Generally the virus is spread via email, masquerading as a 'Customer Complaint' - please be extra vigilant when opening any files from email attachments. Be very wary is any files that end in '.exe'

Can I prevent my computer from being infected?
[Technical Answer] Some of the guys on the reddit post have theorised and small scale tested a solution where using software restriction policies (SRP) to prevent all executables from being ran within AppData/Roaming will prevent the virus from activating. SRP's will not auto apply to subfolders and must be established for each folder affected, further details on this method can be found here.

Will it effect other computers in my office?
Almost certainly, the virus attacks all connected network equipment and media. All USB media should be wiped to prevent further infection.

Will I get my files back if I pay?
Possibly - Around 80% of users who have paid for the password to unlock their files have successfully received the correct unlock code. The following issues have been noted:
  • If you try to move your files to a different location, this will prevent the unlock code from working
  • If the timer expires, it will not be possible to unlock your files
  • If you make attempts to remove the virus is may prevent any unlock codes from working, or shorten the amount of time remaining
Do I have to pay? Is there any other way to fix my computer?
The easiest, cheapest and most reliable way to resolve this issue is to restore your computer using a recent backup. The backup must not be connected to or stored on the infected computer. Even if the backup is connected via a network is may be corrupted. The virus is clever and will hunt for previous backups and corrupt the data beyond repair.

If you have shadow backup or system restore you may have some success with http://www.shadowexplorer.com/

If you have a working backup, you can wipe your computer and reinstall using your most recent backup. This is effective at restoring your computer, please remember that you may lose some files depending on how recent your backup is!

Please remember that once you have restored your computer from a backup you will be vulnerable again to attack, if possible, investigate how the infection started to close down any vulnerability and be extra vigilant when opening files.

What if I don't have backups?
It is possible you will lose the files affected.

Can I just guess the code or hack it?
No.

What is UKash, CashU, MonkeyPak & BitCoin?
These are services for transferring money over the internet which is very difficult or impossible to trace. These services are generally reputable, bitcoin is a type of electronic currency which offers the best security as they can be obtained from a variety of sources, but requires more technical knowledge to process.

It has been suggested that some credit cards will allow you to 'charge back' the amount, so it may be worth contacting your bank for more information, as this virus is legally considered extortion. However, please ensure your files are fully decrypted and backed up somewhere safe before attempting to claim back any funds.

If you have any additional questions you can submit them below or contact LSCP on 0151 270 1703, please contact your IT support provider first, time is very important!
Comments