This is by far the worst computer virus (ransomware) attack I've ever seen.

If you get infected with this one there is no recovery except to pay the ransom!

CryptoLocker is a ransomware program that was released around the beginning of September 2013. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 96 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.

This infection is typically spread through emails sent to company (and sometimes personal) email addresses that pretend to be customer support related issues from Fedex, UPS, DHL, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.

If you see this screen then you've been infected and there is no way to remove the virus and recover the encrypted files except to pay the ransom. So DON'T GET INFECTED!

You can read all the details about this virus including what to watch out for here: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

First-Hand Knowledge

One of my clients got hit with this ransomware early Tuesday morning. In his case, the malware infected his laptop. When he connected the laptop to his business network, the malware found and encrypted a large number of files that were stored on file servers on his local network. If he hadn't had backups for these files he would have lost over a years worth of critical business information. 

It took me more than 6 hours to isolate the virus, and to recover 90% of his business related files from his backups. He lost roughly 1 weeks worth of business information that will need to be recovered from paper. He is lucky that he has a paper-based system that he uses in parallel with his compute-based process. To fix his laptop he basically took it and threw it in the trash rather than spend the money to clean and rebuild it. It was 2 years old anyway and pretty much obsolete.

A second client just called me about 2 hours ago with the same infection. In his case he has decided to pay the ransom even though we both are concerned about whether or not the people behind this scheme will actually follow through and decrypt his files. I also suggested that if a credit card is required for the ransom that he purchase a pre-paid credit card with the exact amount of the ransom on it. That way the scammers won't have his bank credit card information. After all, why would we trust these people.

So once again, I beg you to please be careful when clicking on any links or attachments in email you receive - even if you think you know the sender.

Last Updated on Saturday, 26 October 2013 12:14