Beware of Cryptolocker Malware


 What is Cryptolocker?


It seems a new breed of ransomware is making its rounds around the Internet. Its called Cryptolocker. This new variant/ransomware is particularly damaging because it encrypts the files on your PC such as Word Documents, Pictures, Spreadsheets, etc with very strong encryption which makes it nearly impossible to recover your files. What makes it worse, is that once infected Cryptolocker will not only encrypt files on your hard drive, but it will also scan for any mapped Network drives, Samba/Windows Shares, and if it has access will encrypt files on those as well.

From the Bleeping Computer Cryptolocker FAQ:

CryptoLocker will then begin to scan all physical or mapped network drives on your computer for files with the following extensions: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c. When it finds a files that matches one of these types,it will encrypt the file using the public encryption key and add the full path to the file and the filename as a value under the HKEY_CURRENT_USER\Software\CryptoLocker\Files Registry key.


 The fact it can also encrypt files on mapped network drives makes this infection very damaging and dangerous for businesses. The virus also demands payment of $300 USD within 72 hours or else it will destroy the private key used to encrypt your files. This means your files will be lost forever.

Note: As of this time, there is no method available to decrypt files locked by Cryptolocker. It uses enhanced forms of encryption and 2048 bit keys that is just not possible to brute force.  I DO NOT Recommend paying them.

How does Cryptolocker Infection Spread?

Infections like Cryptolocker spread through the normal infection channels. These are malicious links via Social Media, Email Attachments from bogus/phish emails, booby trapped web sites, and malicious advertisements.

It is very important that you are careful about what web sites you visit, and what links you click on.

How can I remove Cryptolocker?

Cryptolocker can be removed by MalwareBytes Anti-Malware, Hitman Pro, and various other removal utilities.  Below is a few good FAQ's about how to remove this infection from your computer.

Remember, removing the virus WILL NOT decrypt your files. There is no way yet to decrypt files encrypted by Cryptolocker, Volume Shadow Copies can be used to restore previous versions of those files, but nothing short of a good backup is going to save your files once they have been encrypted.

Bleeping Computer Cryptolocker FAQ: has a wealth of information on how to remove this ransomware.

Another Resource is MalwareBytes Anti-Malware Blog

How can I prevent getting Infected with Cryptolocker?

To prevent a Cryptolocker infection, follow these best practices:

1. Practice Safe Hex - This means don't follow links, open attachments, or run programs from untrusted sources. If you receive an email with an attachment your not expecting from someone you know, follow up with that person and verify its legitimate before attempting to open it.

2. Keep up-to-date Anti-Virus and Firewall Software on your PC-  This one is pretty self explanatory, but just make sure you keep your security software updated. In doing so, you will have a better chance of detecting this nasty ransomware before it has a chance to infect your system.

3. This is the BIG ONE - Implement Software Restriction Policies - Software Restriction Policies allow you to create a "Whitelist" of applications that are allowed to run on your PC, all other applications or files not whitelisted (including those from the interent) are blocked from running period. The only way they could run is if you "explicitly" "right-clicked" the executable and forced it to "Run as Administrator" and clicked through the User Account Control prompt. This would have to be intentional to get infected.

Software Restriction Policies require no signature updates, or anything...you just set your policies and your done. You will block all software from running except what you whitelisted. Software Restriction Policies will stop Cryptolocker, and any other malware dead in its tracks because it simply won't be allowed to run at all, thus the infection is mitigated

This is easier then it sounds, just follow Mechbgon's SRP Guide. You will have a good SRP set up in about 15 minutes, and not have to worry about Cryptolocker or most malware infections any longer as long as your practice safe hex.

Stay Safe out there, Hope no one else gets hit with this!

Acknowledgements

Bleeping Computer Cryptolocker FAQ
Cryptolocker Ransomeware:What you need to to know.(MalwareBytes) 
You’re infected—if you want to see your data again, pay us $300 in Bitcoins
Cryptolocker:Its Spam and Zeus/Zbot Connection (Trend Micro)
Snopes- Cryptolocker  
Sophos Naked Security Cryptolocker



Disclaimer: I am not responsible for anything that may happen to your PC when changing settings or changing registry values. If you choose to make changes, you do so at your own risk.. You are solely responsible for any damage to your computer , data, or other hardware due to user error, inadequate cooling, too high of voltages, incorrect software settings, and any other factors. Please remember to back up your computer before attempting this. If overclocking, Do not Overclock on the stock AMD or Intel CPU Heatsink and fans. Use Aftermarket cooling heat sinks of sufficient TDP or water cooling to ensure best chance of not having premature hardware failure. As always, remember to backup your data before attempting any change. I am not responsible for data loss or damage of any kind.


Leave a Reply

Total Pageviews