The Crypto-Locker Virus is making its rounds again. This version, like the last is originally transmitted via an email. The email claims to contain a Resume from a friend or previous acquaintance and asks you to open it. The virus is embedded in a Word document but opening the document alone does not infect the machine. Microsoft Office has built in security measures that prevent this virus code from running but the fake resume asks you to disable those protective measures.
From: John Smith <firstname.lastname@example.org>
Date: October 20, 2015 at 4:40:42 AM EDT
Subject: Re:My resume
Reply-To: John Smith <email@example.com>
Hiya! A former colleague of mine gave me your contact.
He was very confident you would be very happy to read my resume.
After looking through your website and seeing what it is you guys do, I'm also very sure
you will not be disappointed. I'm attaching my resume for you to go through.
I'm truly looking forward to hearing back from you.
The image below shows what the document looks like. It claims to be a “Protected Document” and asks you to turn off the built in MS Office security measures in order to view the information within the document.
You first have to “Enable Editing” then “Enable Macros”. Once this is done the virus gets started on your system. It connects up to the server and downloads the code needed to start encrypting your files. Most but not all Anti-Viruses catch this virus as it is downloading. The issue with some Anti-Virus' inability to detect the virus here is due to the fact that the program was explicitly given access to run.
What happens if I’m infected?
If the virus successfully runs, you will see all of your documents, pictures, and video file names with a new extension and your computer will not know how to open them. The virus renames your existing documents with a .crinf file extension.
Example: Monthly Marketing.docx become Monthly Marketing.docx.crinf
It will search your computer and any mapped drives you have for server locations and identify the files it wants to encrypt. It then gets to work encrypting your files leaving a “Read Me” text file behind in each folder. This file has instructions for how to pay the Ransom and allegedly have your files unencrypted. While there have been reports of users getting access to their files from paying the ransom, there is no guarantee. Our recommendation is to have good backups of your files beforehand, this is the only sure method of recovering your data.
Example of the “Read Me” text file after encryption.
Your personal files have been encrypted!
Your documents, photos, databases and other important files have been encrypted using a military grade encryption algorithm. The only way to decrypt your files is with a unique decryption key stored remotely in our servers. All your files are now unusable until you decrypt them. You have 24h to pay for the release of your decryption key. After 24h have passed, your decryption key will be erased and you will never be able to restore your files.
To obtain your unique decryption key you will need to pay $500 using a PayPal MyCash voucher.
If the payment is not sent within 12h the amount to obtain your decryption key will be $1000.
PayPal MyCash vouchers can be purchased at CVS, 7-Eleven, Dollar General, fred`s Super Dollar,
Family Dollar and many other stores.
After obtaining your PayPal MyCash voucher code you need to send an email to
firstname.lastname@example.org with the following information.
1: Your $500 PayPal MyCash PIN
2: Your encryption ID = WSDM-WIN7BEAE-7B0F
Shortly after the voucher is received and verified, all your files will be restored to their previous state.
All payments are processed and verified manually, do not try to send invalid PIN numbers.
How to Recover After Infection:
The best option here is to restore from backup. Windows operating systems have a built-in version but this feature needs to be turned on to work. If you use special backup software you can restore from that backup or restore from the built in Windows function. We at Beringer can assist with this if needed.
How to prevent this infection:
The best line of defense here is to never open attachments from unknown sources. If you don’t know the person or company it came from then do not trust it! Some emails can be disguised as legitimate companies with an Urgent message making you think that it is important, but if you're not expecting this type of email or file from them do not open it or call the company to see if they sent it.
The second layer of protection is to have a good Anti-Virus on the system. Our internal investigation shows that this was identified as a virus by most Anti-Viruses right away.
There are also tools geared specifically for catching Crypto-locker viruses. While these are useful and they do work, they cost money in most cases and only help with this specific infection. A good backup plan and Anti-Virus solution will cover you in situations like this.
Click here to read a previous blog about the original variant of this virus along with some additional information about the virus.
Beringer Associates, a Microsoft Gold Certified Partner, is always here to provide expert knowledge in topics like these. Please contact us with any questions you may have.