New viruses are released almost continuously and we are usually not out blaring the trumpets about them – the threat is always there, it is continuous, and we try to avoid FUD in our marketing. Taking precautions against malicious software and getting a proper backup should be routine.
However, in the past two weeks we have a seen a rash of reports about a new ransomware virus from security experts, blogs, forums and clients. Called Cryptolocker, the application infects a PC through common vectors (e-mail attachments mostly, from our experience) and is a drastic enough departure from the viruses we typically see that we felt it prudent to inform our readers. Similar to the “FBI Ransomware” and other screenlockers that prompt you to pay to regain access to your computer, this particular program goes a step further by encrypting all documents it can find – both on the local computer and across any mapped drives – rendering them completely unusable. The “ransom” it demands is usually around $300 and climbing. There are older variations that demand far more ($3000+), but they are not nearly as prolific as Cryptolocker.
Removal of the virus itself is trivial, but the file encryption is not. Although security firms have done extensive research, the encryption appears to be well-implemented and not reversible without the private key that is held by the authors of the malware. To the surprise of many, paying the ransom does seem to have a very high success rate at decrypting the files.
Backup Your Files – Don’t just assume the backups are running either. Double-check. Triple-check. Make sure every important file is included in the backup set. Perform test restores. On the consulting jobs we’ve been called in to where the client ended up paying the ransom, every single one “thought” they were backing up using an in-house system, but it either failed to restore or had not been running as expected.
Run Updated Antivirus Software – When we first checked, Cryptolocker only had a 15% detection rate among the top 50 antivirus applications. That’s certainly not fantastic, but still no excuse for passing up on basic endpoint protection.
Do Not Open Suspicious Attachments – A recent study found that up to 40% of users would still click a link out of curiosity, even after being told it was probably malicious. The bottom line here is that you should look at every link and attachment with a certain degree of suspicion, particularly if it is unexpected or coming from someone you do not know.
If you’ve followed all the steps above and still find yourself victimized, paying the ransom is NOT suggested – this only validates and encourages the creators of these programs. Disconnect the affected computer, contact a trusted I.T. consultant immediately, and start work on restoring the encrypted files from a backup.