CryptoLocker: Beware This Major Threat To Your PC

toggle-button

Computer criminals have a new weapon in their arsenal.  No longer do they need to send out phishing emails in the hope that you'll fall for the scam and hand over your bank details.  The new technique is a lot less subtle, but much more lucrative.

CryptoLocker is a new breed of malware, which is being distributed across the world by spammers sending out email messages.  If you inadvertently click on the link within the email, and download the malware, it encrypts all of the files on your PC.  The only place where the decryption key is stored is on the spammers' own servers, and it's only held there for 72 hours.  To get it, you need to send a few hundred dollars.  If you don't do so within the time limit, your files are gone forever.

Nasty, eh.

This isn't the first time that so-called ransomware has been seen, but it's the first time that its distribution has been so widespread and organized.  And what's so worrying about this malware is that, as well as encrypting the files on your own PC, it also tries to attack files on other connected drives too, such as the computers on your network.  And, most importantly, your backups that might be held on cloud-based services such as Dropbox.

To help protect yourself from malware of this kind, there are 3 things you should do.  First, make sure your antivirus software is up to date.  Second, take a backup and store it on an offline device such as a USB removeable drive, which is not permanently accessible from your PC.  Finally, check out an excellent article at http://grahamcluley.com/2013/11/cryptolocker-protect/ to learn more.

 

 

 

Please rate this article: 

Your rating: None
4.714285
Average: 4.7 (49 votes)
toggle-button

Comments

My friend just lost all her photos to this CryptoLocker virus she lost all her photos and I was helpless to help her, she was so upset this really is a nasty virus.

CryptoLocker is a very bad infection but your friend should not give up on her photos See a good repair tech and talk about weather a batch program could be run to find old versions of the files that are encrypted . The idea is an old version exists right before the cryptoLocker ran and could be recovered once the files are back all traces of this infection must be removed. See other postings about programs that can remove its effects using an experienced tech this is not for novices.

Best of luck Bob from Montreal

Can you please tell where she got the virus from?
Hi Anupam , she doesn't know the first thing she knew was when she switched on her laptop and the 'Your files are encrypted pay £300 for the key ' and the countdown clock was showing . Loads of people tried to help her but although they got rid of the virus but the files were lost, very sad I felt really bad for her losing all her pictures/photos. I've read all over that this type of ransom-ware spreads through email attachments so I don't know if this is any help but when it happened to my friend I had recieved a couple of dodgy emails saying they were coming from well known company's that I shop with online , the emails said my order had been confirmed but I needed to download the order receipt/invoice in the form of an attachment I knew these were fake straight away because 1) I hadn't ordered anything , 2) I viewed the email header which I often do with suspect emails and 3) the company had never asked me to download receipt /invoice as a attachment before but people who are not as paranoid as me or had ordered something recently may have been tricked. I sent/reported the fake emails to the company in question.
Thanks for your reply. The infection must have come from email attachment then, most probably. I was trying to see if there was any other probable cause for getting that virus. For people like us, it's easy to differentiate genuine emails/alerts from fraud ones, but for others who are not so knowledgeable, it might be difficult. It's sad.

I own and run a one man computer business in central MN. I am not an expert but wanted to add some experience that I've had recently with what I think is CryptoLocker or a clone of it. In both cases (1 Vista and 1 XP I think) I was able to remove the infection by booting with the HitmanPro trial from a USB flash drive.

Both systems had the same graphics and desktop wallpaper image, both had the countdown timer. One was down to ~68 hours and the other was ~48 hours.

I didn't know about this Malware and just attacked it as normal with Hitman booted from a flash drive, ComboFix and Malwarebytes after booting clean.

Anyone else been able to disable/remove this?

Hu

Crypto-Locker is easy to remove, but that's not the issue. The issue is that the files have been encrypted. Removing the virus will only mean that future files will not be encrypted. It doesn't decrypt already encrypted files.

I would not think it was CryptoLocker, once it runs there is no way other then pay the money to get your files back.

Thank you for your replies. Can anyone answer the question I posed at the end of my post -

Anyone else been able to disable/remove this?

Have any of you seen this with your own eyes or just anecdotally through this forum or friends?

Are the files already encrypted when the system shows the Cryptolocker warming or does the encryption happen after the countdown?

What if the computer was quickly shut down and the hard drive removed and mounted with a Linux distribution such as Trinity Rescue Kit (TRK).

Just looking for more information.

Hu

I don't know how often they get involved in issuing malware alerts, but even the U.S. Computer Emergency Readiness Team (US-CERT), part of the Department of Homeland Security, has issued an alert about Cryptolocker.
https://www.us-cert.gov/ncas/alerts/TA13-309A

Can you still become infected if you are using Returnil System Safe which is a virtual disk and click on a link? Or does the problem go away when you shut off your computer?

I assume that NOT logging on as administrator would provide another level of security against this exploit, as it would require a password before it could install via an .exe file. Is this correct?

Does anybody have any info on the Malwarebytes application Anti-Exploit? The only thing their site says is basically "This is good; download it.", with no explanation of what it really does and how it achieves this. I'm not looking for trade secrets here, but something more than the current "Yeah Us!" is needed.

Also the comment about Windows Home Premium not being vulnerable, does anybody have any idea as to whether or not that is a true statement?

Last but definitely not least, "Thanks" for the article, it is much appreciated.

My apologies, the second link I posted is incorrect, should be http://www.sevenforums.com/tutorials/7357-local-security-policy-editor-o...

I also meant to point out that the BC Guide also shows how to use both prevention programs so it is well worth the time it takes to read the whole thing.

If you are referring to my comment then you misread it, because I never said Home Premium is not vulnerable. What is said is that that version of Windows does not have a Local Security Policy Editor or Group Policy Editor that you find in higher end versions of Windows. As far as I know CryptoPrevent uses these policy editors native to Windows, so if true and they don't install such an editor of their own, CryptoPrevent will not work on the Home Premium versions of Windows and will be unprotected and still vulnerable. If you know how to edit Security and Group Policy on versions of Windows that have it, you can do so manually and don't have to use the CryptoPrevent software, but it is much more convenient. For instructions on how to do this, see this part of the Bleeping Computer FAQ/Guide--scroll down to "How to manually create Software Restriction Policies to block CryptoLocker": http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-in...

For confirmation that the Policy editors do not work in Home versions of Windows:
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-in...
"In Windows 7, the Local Security Policy will only be available in the Professional, Ultimate, and Enterpise editions.
In Windows RT, 8, and 8.1, the Local Security Policy will only be available in the Pro and Enterpise editions."
Similarly, I know that in XP, policy editors are available only in the Pro Editions of Windows, not Home.

Would appreciate it if you would not post about my product without actually reading about it first, as it appears you are spreading a bit of misinformation.

CryptoPrevent does NOT rely on Windows Group Policy or Security Policy editors -- in fact it was created EXACTLY FOR HOME VERSIONS OF WINDOWS simply BECAUSE they did not have access to these editors; the policies created by CryptoPrevent are artificially planted directly into the Windows registry.

The whole idea behind the program was presented to me personally by Laurence Abrams of BleepingComputer.com in order to help users without professional versions of Windows and without access to the means to create their own software restriction policies. Since that time CryptoPrevent has grown from an original set of 6 rules to over 200 policy rules - something that even those with access to Professional versions of Windows and the appropriate MMC editors would generally not want to do manually.

Please see my response to your other post below...

Obviously, I misread it. Thank you for the clarification / explanation. It and the BC link are most helpful.

For the most complete and up to date information on this odious malware, see the FAQ's at Bleeping Computer that is linked to at the bottom of the article. Many sites are getting their information from it, including the Krebs on Security blog that was passed on in comments. One thing mentioned at BC, and not in this article, is that if you wait til after the time limit expires then try to use their "service", the price goes up to around $2000.

Another thing of which one should be aware and unfortunately is not mentioned at BC, is that Software Restriction Policies are not available in Home and Home Premium editions of Windows so I don't believe CryptoPrevent will work for the typical home user. But I have yet to test to confirm this tho. Looks like the best bet for prevention is HitmanPro.Alert with Cryptoguard that has already been linked to but here it is again:
http://www.surfright.nl/en/cryptoguard

I have some questions about it as well but won't voice them until I've had a chance to try it out and get some more info. Also haven't tried the Malwarebytes apps yet either.

Rob, as always, thanks for keeping us current...

Is the Foolish IT program similar to MS's EMET?

Has anyone installed the Foolish software?

If so, does it degrade system performance?

What problems exist in setting it up?

Seems to me that the Foolish IT solution makes more sense that than adding another real time scanning solution which may or may not play nice with your existing A/V.

Thanks...

I haven't tested these yet but as I understand it, the Cryptoguard software is more effective since it prevents the execution of the encryption of your files. That kind of action needs no updating. CryptoPrevent works by preventing the malicious software from executing by changing Software Restriction Policies or Group Policies, but this restricts software behavior based on where the software files are located. Malware writers are notorious for changing the location of their files, so this would have to be kept up to date. Plus it restricts all software with files in certain locations (like App Data), so some legitimate software will not work correctly until you make an exception for them. Easily done in the CryptoPrevent software, but is a further inconvenience. Also, as I've mentioned in my comment, If you are running Windows Home or Home Premium, you don't have the option of Software Restriction Policies, so I don't think CryptoPrevent will work at all in those OSs.

Again, please read about my product before posting about it, because you know very little and are spreading misinformation.

While CryptoPrevent does utilize some location based policy rules, the vast majority of its policy rules apply no matter where the executables are located in the file system.

And again, CryptoPrevent was specifically designed for Home versions of Windows where access to Group Policy / Security Policy editors are not available.

Please accept my apology. It was a mistake on my part to not read the information on your website about your product. You do clearly state there that the program is designed to give Home Editions of Windows the security it lacks by not having the policy restrictions editors available in higher end editions. I normally try out products like this and read up on them at their download pages before making such comments and it was clearly a mistake for me to not do so in this case. You and Lawrence are to be highly commended for your efforts. Unfortunately I haven't had the pleasure to make your acquaintance but I do know that, when it comes to malware removal and coming up with solutions for them that even the technically illiterate can understand, Lawrence Abrams has been first rate and had my admiration for quite some time now.

That being said, I think you have over-reacted to my comments just a tad. I stand corrected about the policies capabilities of your software, but in my own defense, if you'll notice I never said absolutely that your software didn't have those capabilities, but preceded those comments with "I think" or "as far as I know" or similar, which was intended as an admission on my part that I didn't know for sure. I submit to you that my other information may have been slightly inaccurate, but not too far off base. I was getting most of my information off of the BC Guide which does not mention or emphasize what I was mistaken about and in my mind I kind of merged your software with the guide's info on manually editing policies. I tried to call up the policy editor on my Windows Home Premium desktop, was unable to do so, thus I had my doubts that your software could either. The fact that it can is outstanding.

So you are entirely correct that I don't know much about your software, but if you ask any of the old timers at Bleeping Computer, they should be able to assure you that I would never intentionally spread misinformation and I do have some knowledge about malware and its removal, although it's mostly dated now. But I am not an IT professional or a coder, so I will leave that in your very capable hands. From the little I've looked around your website, I really like what I see and can tell you are very talented--I am also very interested in your approach and other aspects/capabilities of CryptoPrevent.

Now I will make no further comments until I have had time to try out and further research your software and the other I have commented on.

I'm now confused...

My reading of their site indicates just the opposite of your comments.

Well, I think you are not understanding how these softwares work--from your "degrade system performance" question you may be assuming that you have to install the whole Hitman Pro antimalware program, but that is not the case. Cryptoguard is a standalone software that is combined with another alerting system--all it does is block the encryption of files and alerts you that there is malicious software on your system that is attempting to do so. If you do happen to have Hitman Pro installed you can click one button to have the malware removed while the encryption is being blocked, but as far as I know any native antivirus should work. As I said, I have yet to install this, but it shouldn't be much of a drag on your system--I know it won't be as much as a typical antivirus program because it just doesn't need as much resources to do its job.

And if you are judging these programs on their use of resources alone, then you are correct that CryptoPrevent would be the better of the two as it shouldn't use much, if any resources. But as I have explained, it's strategy is not as effective as Cryptoguard, IMO. I would strongly suggest that you read the FAQ/Guide at Bleeping Computer--they explain in detail how these programs work and how to use them. There is also a thread with much more information on Cryptoguard, including a video demonstrating its use that is also helpful in understanding how the CryptoLocker infection itself works. For example, if you'll notice, the tester goes to a website to become infected--which proves that it isn't only email attachments that you need to worry about.
http://www.bleepingcomputer.com/forums/t/513182/cryptoguard-prevents-you...

Remember that the problem is not removing an infection--it's preventing your files from being encrypted in the first place.

thankyou for the heads up and info

Both of these are in beta right now, and therefore not recommended for general users. Also, it looks like both these products might go commercial, when they come out of beta.

I was made aware of this a short time ago - apparently there is s program that can help prevet this. It is called cryptoprevent.

http://www.foolishit.com/vb6-projects/cryptoprevent/

You can also find it on majorgeeks if you prefer.

Pages