Beware of the CryptoLocker Virus

Nettology - How can you confidently migrate to the cloud with your essential guide?
Ransomware is on the rise. Beware of the CryptoLocker virus!

The Ransomware known as CryptoLocker can infect your PC by:

  • Sending company email addresses fake customer support-related issues from FedEx, UPS, DHS, etc. These emails would contain an attachment that when opened would infect the computer.
  • Exploit kits located on hacked websites that exploit vulnerabilities on your computer to install the infection.
  • Trojans that pretend to be programs are required to view online videos. These are typically encountered through Porn sites.

What happens when you become infected with Cryptlocker Ransomware

Once the infection is active on your computer it will scan your drives (local & network) and encrypt the following types of files with a mix of RSA & AES encryption: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7cThe

For each file that is encrypted, a resulting registry value will be created under this key: HKCUSoftwareCryptoLockerFiles

After a while, typically as long as it takes to encrypt the detected data files, you will be shown a screen titled CryptoLocker that contains a ransom note on how to decrypt your files. Depending on the version of Cryptolocker that is installed, the ransom may be for $100 or USD 300/EUR. This payment can be made via Bitcoin, MoneyPak, Ukash, or cash. You will also be shown a countdown that states that you need to pay the ransom within 72 hours. Failure to do so will cause the decryption tool to be deleted from your computer.

More detailed information about what this infection does when run can be found in this post by Fabian Wosnar of Emsisoft.

Are there any tools that can be used to decrypt your files?

Unfortunately at this time, there is no way to retrieve the key used to encrypt your files. Brute forcing the encryption key is realistically not possible due to the length of time required to break the key. Any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup, or if you have System Restore, through the Shadow Volume copies that are created every time a system restore is performed. More information about how to restore your files via Shadow Volume Copies can be found in the next section.

If you do not have System Restore enabled on your computer or reliable backups, then you will need to pay the ransom to get your files back. Please note that there have been cases when people have paid the ransom and the decryption did not work for whatever reason. Furthermore, if you do not pay the ransom within the allotted time, the Cryptolocker decryption tool will be removed from your system and make it much more difficult, if not impossible, to restore your files.

How to generate a list of files that have been encrypted

If you wish to generate a list of files that have been encrypted, you can download this tool:

http://download.bleepingcomputer.com/grinler/ListCrilock.exe

When you run this tool it will generate a log file that contains a list of all encrypted files. Once it has completed it will automatically open this log in Notepad.

How to restore your encrypted files from Shadow Volume Copies

If System Restore is enabled on your computer, then it is possible to restore previous versions of the encrypted files. Though these previous versions will not be encrypted, they may also not be the latest version of the file. Please note that Shadow Volume Copies, and thus Previous Versions, are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.

To restore individual files you can right-click on the file and select the Previous Versions tab. This tab will list all copies of these files that have been stored in a Shadow Volume Copy. You can then select an earlier version and restore it.

Due to the amount of files encrypted by Cryptolocker, restoring them one by one can be a time-consuming and arduous task. Instead, you can use a program called Shadow Explorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.

Contact us today for your business!

Popular links on our website:

Fill out the form for a
Free Consultation!

Generic Contact Form