Today we have received two reports that a very malicious piece of malware is active and all our clients need to be very aware of it. I never make claims about malware being “the worst ever” but actually any dire warning you read about this software will probably not do it justice.
Cryptolocker (detected as Troj_Ransom.NS, Troj_Ransom.IQN by Trend Micro to give one example) infects your PC and then encrypts all the common personal documents it can find – documents, pictures, music, videos, etc. It will encrypt data on the local PC and if you have network drives it will encrypt any data it finds on those as well. And I have also seen with my own eyes that it will encrypt your Dropbox content as well if that is available on your PC.
Once your files have been encrypted there is NOTHING you can do to unencrypted them – they are permanently gone unless you give into ransonware and pay up the requested $300.
Your only chance of recovering your files – if you don’t pay – is to recover them from backups. If you have backups. If you don’t have backups then you are saying goodbye to family photographs, home movies, that book you were working on…
The criminals have used 2048bit RSA public key encryption and without getting technical no one, without the right key, is going to be unencrypting your files anytime soon .
Depending on your operating system you may have something called Shadow Copies enabled and this may save your backside.
Avoiding Getting It!
This software appears to be spreading via email message purporting to be from DHL, Amazon and similar types of business. The email will contain an attachment pretending to be a PDF document of a dispatch note or something similar.
DO NOT open .zip or .PDF attachment (or any attachments actually) unless you implicitly trust the source and are expecting them to send you attachments.
Another method of spread is via Botnets to already compromised PCs. If your PC already hosts other malware then this can be used as a mechanism to get Cryptolocker to your PC.
If you have got it
It is beyond the scope of this blog piece to go into all the details of the malware and its’ removal and the possible places you may find backups of your documents so we would recommend you contact us or your I.T. people if you are unlucky enough to get it.
UPDATE: I have come across a few reports in the last day or two saying that the C and C servers/Server where the private keys are held have been taken down (or blackholed or otherwise taken offline). This would not be at all surprising and if true it means that paying the ransom will be a waste of money as the criminals will not be able to release the decryption key.