CryptoLocker

A am posting this topic as a result of a conversation while golfing with a good friend.   My friend basically asked me whether or not I heard of the virus “Cryptolocker”.  I explained to him that I was familiar with it  and how I became introduced to the virus.  We discussed it intermittently during the remainder of our golf round. Afterwards we had a huge discussion about malware, trojans and virus manufacturers in general.

During the discussion he asked me what could be done and I made the comment that he might be able to change the individuals profile and/or look at shadow copy recovery. I further commented on what I had done to combat the virus.  He also explained to me that he was looking at possibly having to replace upwards of 50 computers. That he didn’t have appropriate backups. And that he feels he has no choice but to pay the extortioners.

Afterwards, his whole situation sank in, if he has to replace 50 computers, if he pays for the decryption key and if he truly doesn’t have a backup what are his alternatives?  So I did some quick research and found some possibilities that might work.

The Possibility of Data Recovery is open for discussion.  A website according to PCWorld – CryptoLocker was a solution for recovering encrypted files. Researchers from FireEye and Fox-IT developed a proven method to recovering the private encryption keys used by CryptoLocker.  In addition, they have reverse-engineered the code of the malware itself—in essence the firms can unlock your files.  However, the company has decommissioned this website in August of 2014.  The service is free and all you have to do is send them an email containing an attachment that is Cryptolocked.  They will determine what the key is and send the key to the individual via email. Click on the following link to gain a better understanding of this process.  DecryptCryptoLocker.com

Ultimately the question is, is there another solution today – 2015?

Here are several tools available to identify and prevent cryptolocker from affecting your computer.

Malwarebytes – Detects and Stops virus

Also removal instructions can be found here. Malwarebytes removal instructions

Hitman Pro – Another tool for prevention

Why not pay? Usually the response is why not pay if I don’t have a backup or it might be too costly to recover my data.  There are three good reasons not to pay.

  1.  You are not guaranteed the key you receive will work and/or whether you will receive a key.
  2.  Paying supports the malware develpers allows them to continue extorting money from companies.
  3. Removing cryptolocker will not endanger your files

Good standardized security practices that every company should follow to protect themselves from such virus’,  maleware and intrusions.

  1. Educate Users – Remember your company’s data security is only as good as your employees.  You can institute any and all prevention measures but a well educated staff can assistant you against stupid.
    1. Never open emails that contain .zip content.
    2. How often will they receive .zip content from a users inside your company? The answer to this question is probably never.  Therefore, the only source of .zip content would come from outside your organization.
    3. If you don’t know who the email is from or you were not expecting the email do not open it, just delete it.
    4. If in doubt ask, always assume that if it is important the sender will resend the email or ask for a read/open receipt and then re-contact you.
    5. Always error on the side of caution.
  2. Use windows Shadow Copy  also known as Volume Snapshot Service or Volume Shadow Copy Service or VSS is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use. It is implemented as a Windows services called the Volume Shadow Copy service. A software VSS provider service is also included as part of Windows to be used by Windows applications. Shadow Copy technology requires the file system to be NTFS to be able to create and store shadow copies. Shadow Copies can be created on local and external (removable or network) volumes by any Windows component that uses this technology, such as when creating a scheduled Windows Backup or automatic System Restore point. Please note that Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.
  3. Change your firewall to trap for .zip, .exe file types and prevent them from breaching your firewall. Contact your systems administrator to help set these rules up.

Check out the following resources for additional information.

Wikipedia

ShadowExplorer software,  if you are using Windows 7 (Shadow Copy is turned on automatically or Windows Server 2008 (you might need to turn on the Shadow Copy for each drive you share).

Very Important and Comprehensive An excellent resource appears to be BleepingComputer.com.  They have a very good discussion on Cryptolocker, it’s delivery and how to get rid of it……

 

 

 

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *