Update 12/20/2013: A new version of Cryptolocker—dubbed Cryptolocker 2.0—has been discovered by ESET, although researchers believe it to be a copycat of the original Cryptolocker after noting large differences in the program’s code and operation. You can read the full blog comparing the two here.
Just last month, antivirus companies discovered a new ransom ware known as Cryptolocker. This ransom ware is particularly nasty because infected users are in danger of losing their personal files forever.
Spread through email attachments, this ransom ware has been seen targeting companies through phishing attacks. Cryptolocker will encrypt users’ files using asymmetric encryption, which requires both a public and private key. The public key is used to encrypt and verify data, while private key is used for decryption, each the inverse of the other.
The bad news is decryption is impossible unless a user has the private key stored on the cybercriminals’ server. Currently, infected users are instructed to pay $300 USD to receive this private key. Infected users also have a time limit to send the payment. If this time elapses, the private key is destroyed, and your files may be lost forever.
Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:
3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx
In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files. The folks at BleepingComputer have some additional insight on this.
Worse yet, there are numerous reports of usage of credit card numbers used to purchase the private keys to unlock files for other uses.
Anti-Malware and Anti-Virus programs detect Cryptolocker infections as Trojan.Ransom, but it cannot recover your encrypted files due to the nature of asymmetric encryption, which requires a private key to decrypt files encrypted with the public key.
While Anti-Malware programs such as Malwarebytes cannot recover your encrypted files post-infection, we do have options to prevent infections before they start.
Best Practice Defenses:
Information is the first line of defense. I everyone knows threats exist and how to avoid them your systems are better protected.
Published Policies relating to the usage of computer systems foils many would be attacks.
Anti-Virus/Malware and Systems Monitoring
Up to date anti-virus and malware detection software will help stop most known attacks. Systems monitoring systems are inexpensive and can eliminate most attacks even zero-day attacks not yet known.
The existence of malware such as Cryptolocker reinforces the need to back up files. However, a local backup may not be enough in some instances, as Cryptolocker may even go after backups located on a network drive connected to an infected PC.
Cloud-based backup solutions are advisable for business professionals and consumers alike.