The game of computer malware (viruses and whatnot) vs Anti-malware is like a cat and mouse chase; but it’s one of ever increasing sophistication. In the latest iteration of this game comes the CryptoLocker Ransomware; this one is just about as bad as it gets. Why is this one so bad? It’s because it encrypts your files. Now, some of you may not know exactly what this means, but, simplistically, it means that your files are “password protected” and you can’t access your files unless you provide the right “password”. Sounds simple enough right? Just find the right password are you are good to go right? Unfortunately, no, it’s not that simple.
The following information about what Cryptolocker does was taken from an article published by Sophos Labs; to read the entire article, click here
What CryptoLocker does:
When the malware runs, it proceeds as follows:
1. CryptoLocker installs itself into your Documents and Settings folder, using a randomly-generated name, and adds itself to the list of programs in your registry that Windows loads automatically every time you log on.
2. It produces a lengthy list of random-looking server names in the domains .biz, .co.uk, .com, .info, .net, .org and .ru.
3. It tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds.
4. Once it has found a server that it can reach, it uploads a small file that you can think of as your “CryptoLocker ID.”
5. The server then generates a public-private key pair unique to your ID, and sends the public key part back to your computer.
6. The malware on your computer uses this public key to encrypt all the files it can find that match a largish list of extensions, covering file types such as images, documents and spreadsheets.
7. The malware then pops up a “pay page,” giving you a limited time, typically 72 hours, to buy back the private key for your data, typically for $300.
What makes this type of encryption so hard to undo is that public-key cryptography uses two different keys: a public key that locks files, and a private key that unlocks them. The problem isn’t getting a hold of the public key because, most likely, it can be found somewhere in the infected computer. The thing is, the public key is only used to “lock” the files, not “unlock” them. To “unlock” your files again, you need the matching private key which only the bad guys have. Worse yet, if that key is lost / destroyed, there will be “no way” to “unlock” you files again. The reason I put “no way” in quotes is not because I have some magical way to “unlock” your files, but because it is still theoretically possible to break the encryption; but it will take more time and computing power than most people and businesses have available.
Another thing that makes the Cryptolocker malware so bad is that the malware searches for files to encrypt on all drives and in all folders it can access from your computer. This means any external drives, workgroup files shared by your colleagues, resources on your company servers, etc, etc, could all have their files “locked” by this malware.
At this point you may be thinking “so is there no hope against the Cryptolocker malware? My response is this: Yes, there is hope, but it lies in prevention. Once you have been infected and your files locked, there may be no way to get your files back.
So what can you do?
1) Everyone should always have some type of back-up solution. The best thing to do is have both a local back-up as well as an off-site (i.e. cloud based) back-up. The trick is to have something that has good re-visioning (keeping multiple copies of the same file). Granted, this might only do good for your off-site back-up solution, but something is better than nothing. Also, it’s “best practice” to have a local back-up “at rest” as well as one that’s “active.” This means having one back-up that is done on a certain schedule and then put away safely until the next scheduled back-up, plus a second back-up that is scheduled more frequently and is constantly connected either to the computer, or to the network, that it is backing up.
2) Everyone also needs to have some type of anti-virus installed on their computer. I won’t get into recommendations because everyone has their favorites, but people need to realize that nothing, and I mean nothing can protect a computer 100% from possible infection.
3) Be careful opening up attachments from people you don’t know, and be careful about clicking on things / messages that may look legitimate, but come up unexpectedly or are vague (OMG, I can’t believe you did that! Check out this video of you…)
4) Specifically for the Cryptolocker malware, there is something that can be done to prevent it from infecting your computer. There is a small piece of software that was developed by Nick Shaw of Foolishit called CryptoPrevent. This software cannot undo damage Cryptolocker did, but it can help prevent Cryptolocker from infecting your computer in the first place.