Blog

New Cryptolocker Virus locks All Your Files and Seeks Ransom To Restore Access

Malware Encrypts local and network files rendering them inaccessible

Recently, we have encountered a new type of malware known as Cryptolocker. It searches for all of your pictures and office documents then encrypts them. The malware infection asks for payment to decrypt the files which is currently set at $300. The file extensions that it will encrypt are listed below.

There are only two ways to recover from this type of attack. Pay the “ransom”  of $300 within 72 hours or restore the now encrypted files from backup overwriting the encrypted files with the previous, working version. This process can only be performed after the location of the infected machine has been identified and it has been cleaned. It has been reported that victims who have paid the ransom have in fact regained access to their files once they are unencrypted.

Currently this virus is spread in through fake emails that legitimately appear to be from Fedex, and UPS tracking notifications and Intuit messages that include a zipped file. They tell you that some important information about a recent shipment or your business QuickBooks file has a problem and they you have to open the zip file to access the info. It is also reported that links inside emails are responsible for the infections.

The only two symptoms of this virus is, the pop up shown above and users mentioning that multiple files on the network or their local machines are corrupt. When an encrypted file is opened, Microsoft Office thinks that the file is corrupt and reports an error that is can’t open the file.

List of known file extensions that Cryptolocker searches for an encrypts.

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr,.jpg, .jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c

How to be prepared for this virus

-Take a backup or image of your files and perform a test to restore confirming the backup was successful. Backups are the most important to countering this infection.

-All Antivirus and Malware clients are fully up to date and operating correctly.

-All content filters are in place and are operating correctly.

-If your Antivirus does email scanning make sure that is up to date as well.

How to prevent your computer from becoming infected by CryptoLocker

You can use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific paths. For more information on how to configure Software Restriction Policies, please see these articles from MS:

http://support.microsoft.com/kb/310791
http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx

The file paths that have been used by this infection and its droppers are:

C:Users<User>AppDataLocal<random>.exe (Vista/7/8)
C:Users<User>AppDataLocal<random>.exe (Vista/7/8)
C:Documents and Settings<User>Application Data<random>.exe (XP)
C:Documents and Settings<User>Local Application Data<random>.exe (XP)

Or you can use the following tool to write these policies for you:

http://www.foolishit.com/vb6-projects/cryptoprevent/

If you are infected with the Malware below are some links from forums and what they have done to resolve the issue.  Make sure you have good backups now!!

http://www.bleepingcomputer.com/forums/t/507240/crypto-locker-malware-removed-files-still-encrypted/

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/page-5#entry3153406