There’s a nasty piece of malware out there called Cryptolocker. You won’t know you’re infected with it until you get the notice that your files are encrypted and if you don’t pay $300 by a certain date the decryption key will be destroyed, causing you to lose all your files forever. At this time only Windows operating systems are vulnerable, with this exception: If you are running a Windows installation in Parallels on a Mac, with a shared home folder, you may be vulnerable to losing access to the home folder, which is basically where you live on a mac. So here’s what you need to know to grab a handle on what this is and why it’s so nasty, and, most importantly, how not to get it, and if you do, how to survive it.
a very basic understanding of encryption:
Encryption is the process that makes text unreadable to someone who’s not in on the secret. It scrambles the text to such an extent that without the descrambler you’ll never be able to read it. It’s what the “lock” icon means when you go to your bank’s website or when you are shopping online and you go to check out. Most encryption on the web is done with two “keys,” one is a public key and the other is a private key, and they work together. No other combination of keys will work with either of those two. When you go to your bank’s website, you see the place where you log in with a username and password. When you hit the “login” button, you use the bank’s public key, which is stored on their server, to encrypt your login information so that if someone intercepts the traffic, all they’ll see is gobbledygook. It won’t make any sense. AND it can’t be used to log in, because if someone input what they intercepted, THAT would also get encrypted and end up being even more gobbledygooked. Without that private key at the other end, it IS just gobbledygook. So at the other end, the bank uses their private key, which is stored securely on their server, to decrypt your login credentials. If you are at a website and see a lock, you’ll also see that the “http” is now “https” which means that a Secure Sockets Layer session has been started, which is another level of encryption added to the session. The original encryption session that was started with the public key/private key transmission (which is called “asymmetric”) now initiates a symmetric session that uses the same key between parties. Nothing that passes between the parties can be read by anyone other than those two parties. What you need to really understand is this: it works because both parties have the key. (Trust me, when I was learning all this, it made my head spin.)
What Cryptolocker does:
Cryptolocker uses the originator’s (the bad guys) public key to encrypt your personal files. It grabs not only the files on your active hard drive, but if you work with an external hard drive attached to your computer as a standard practice, it will grab those too as well as any mapped network drives. That can make this a devastating infection for small businesses. Don’t even think about cracking the encryption, either. The keys used in this are the best you can get, the strongest available. The payment demanded is any one of three untraceable methods: Bitcoin, MoneyPak card, or Ukash card. That lessens the chances of these guys getting caught, unless one of them gets very sloppy, and then rats the others out. If you don’t pay the ransom, the decryption key is destroyed. Remember the part above, where I told you that the public key and the private key work together? Well, they ONLY work together. If the private key is destroyed, you will have zero chance of decrypting your files. Heres’s something else you need to know: If you are using a backup site in the cloud, as soon as you think you might be infected, unplug from the internet and call the human customer service rep at the backup service and let them know right away that you’ve been infected with Cryptolocker; one cloud backup service has officially stated that this information will put a high priority on your call, and it’s reasonable that others are treating it the same way. By this time, they will already have a plan formulated for dealing with Cryptolocker, but if you let a backup take place after encryption has started, you will not be able to use your backup service to restore your computer.
prevention is the best defense:
All indications at this point are that most of the infections are started with a phishing email. Phishing is just like fishing—someone’s putting some bait out there hoping someone will bite. These guys are not amateurs. The emails will look like the real thing. Some documented cases so far include emails that look like Amazon, BestBuy, WalMart, and other shopping sites. It is getting to the point where is just is not safe to click on a link in an email anymore. But don’t even think that all links in all other email messages from all other sources must be safe just because I didn’t name any others. You should treat all emails containing links with a strong degree of suspicion. Other possible infection sources include attachments in emails (if you weren’t expecting it, don’t click on it!), or if your machine has been previously compromised, the attackers could just remotely run a program that automatically loads and runs the encryption software. Documentation on the attachment version includes emails that look like they came from well-known companies like UPS, Fed-Ex, DHL, etc, and with shopping online being so popular, leading up to the holidays we can expect that this will pickup, and even after the new year, with returns and all, don’t expect it to go away quickly. The attachments included in the email will have names that look like they end with .pdf, .doc, .xls, but are actually executables, meaning that when you click on them, a program will run. For some reason, Windows, by default, does not display the file extensions, and you generally know what kind of file something is by the icon it displays. It’s better not to take that chance, you can follow <THIS LINK> for instructions on how to display all file extensions, so that you can actually see if something is not a .pdf, .doc, or .xls but is actually a .pdf.exe, or a .doc.exe, or a .xls.exe. Those are bad guys. Do not open them. (By the way, this is a ploy used by a lot of other trojans as well, disguising an executable file as a non-executable file; taking the step of displaying file extensions can keep you from clicking on them even in the absence of the Cryptolocker threat.) And above all, BACKUP, BACKUP, BACKUP!!!!! You should NEVER have only one copy of your critical data. Ever. Ever! Got that? Because if you have a current backup, you’re prepared for….
Surviving the infection you couldn’t stop in time:
Go ahead and decide, right now, if you are willing to pay the ransom. If so, set aside $300, and be prepared for that to go up. But remember that we are talking about people who already don’t care that they don’t have a right to do stuff to your computer. Counting on them to keep their word may not be wise. If you don’t intend to reward criminals for bad behavior (yes, I am being clear which path I recommend), stop all your other computer activity TODAY and make a set of recovery disks. That is a disk or a set of disks that contains your computer’s operating system and installed programs as it looks at the moment the disks are made, and all the files. This is a good practice anyway, especially if your machine didn’t come with operating system installation media. Most don’t nowadays. You may (or may not—it just depends on factors we haven’t figured out yet) have to activate Windows again after installation, and that may require a phone call. I’ve had to do this numerous times, and it’s not a difficult process. The phone instructions are very easy to follow, and when you are asked how many machines the software is installed on, the correct answer is “zero.” Remember that. Once the operating system is restored, move the most recent backups of your files back into place and you’re ready to go.
Forewarned is forearmed. Now you know there’s bad stuff out there. More importantly, you know how not to get tricked, and you know how to recover if you do get tricked. Don’t be embarrassed if you get fooled, these guys are highly skilled at what they do. They count on you being trusting, and they count on you being too busy to take proper preventive measures. The time you spend in prevention and precaution will save you a lot of recovery time.