Cryptolocker in 2015 and 2016
Over the last few months I have been getting more call outs for a very nasty piece of software (ransomware) called Cryptolocker.
Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid aka they hold your files for ransom. Usually hundreds of dollars, sometimes thousands!
It arrives in your inbox as a simple email that looks quite legitimate. The two variations I’ve been dealing with are from Australia Post & the Australian Federal Police.
A few things to note:
Alarm bell #1. The AFP issuing a driving fine?
Alarm bell #2. How would the AFP get your email address?
Alarm bell #3. If you hover your mouse cursor over the link, you would expect to see a government web address that looks like this : https://www.afp.gov.au/etc, but in this case, you see a random web address.
Most people delete the email on the spot but there are an alarming number of people who panic and follow the link.
What happens if you click the link?
Once the page loads, the victim is presented with a captcha challenge, and when it is entered they will download a zip file containing an executable file which is a variant known as the cryptolocker virus. Game over!
The Cryptolocker virus will then encrypt your files, all of your files, and display ransom message with instructions on how to make payment to be able to recover the encrypted data.
Can I prevent getting Cryptolocker?
Yes! Other than keeping your antivirus up to date there are some great tools to combat cryptolocker style viruses. Bitdefender have a free cryptolocker tool to defend these ransomware attacks.
How to get your data back
After removing the cryptolocker virus, the next step is to recover your data.
Option 1 – Restore data from your backup
If you backup regularly, you’ll be thanking your lucky stars. It’s as simple as restoring your backup data. Replace the encrypted files with your backup files.
After you restore you files we recommend backing up again and reinstalling your operating system just to be sure there are no back doors left open.
Option 2 – Check for a shadow copy of your files
Right click on the file, go to properties, go to Previous Versions and see if there’s a file to restore. (these are usually deleted by the trojan but check anyway)
Option 3 – Resign yourself to the fact that you have lost your data
Let’s be clear. These files have stronger encryption than internet banking and, at present, there is no way to decrypt them. Back it up (in case someone discovers how to decrypt them in future) and reformat your computer.
Option 4 – NOT RECOMMENDED – Pay the ransom
Computer Emergency does not recommend paying the ransom. There are no guarantees that you will ever see you money or data again.
We have had a couple of clients pay the ransom. Fortunately they all worked but still ended up costing a lot of time and money.
Here are the steps that were followed.
Step 1: You are asked to install TOR Browser (it’s like a private/secure browser)
Step 2: and go to a specific web address.
Step 3: Payment instructions come up on the screen. The payment is made in Bitcoin (kind of like black market money trading). To do this, select a bitcoin trader from the list, set up a payment (you enter how much you will be depositing and who it’s going to be sent to – an account is provided in your ransom letter) You then get 2 hours to make the deposit. My client today had no other option but to pay. We made a deposit into a Commonwealth Bank account owned by the Bitcoin trader (about $750). You receive an email notification from the bitcoin trader within 10 minutes of depositing the money with a notification that it should be transferred to the “bad guys” within an hour.
Step 4: Back in the Tor browser there is a button that allows you to refresh the page and check that the payment has cleared. Once cleared, it automatically runs a program that shows a decrypt button. Click that and it starts to run. There is a notification that it can take up to 4 hours.
Step 5: A message is displayed letting you know that the files have been decrypted and a restart is necessary. Your files should now be back to normal.
Step 6: Time to do virus and malware scans. Best to get an IT professional to do this. Alternatively, the safer option is to back up your data and do a fresh install of your operating system.
Step 7: BACK UP YOUR DATA! It goes without saying that you should be backing up your important data as a regular routine. Photos, tax documents etc etc. Do you have a disaster recovery plan? What happens if there is a fire? Do you have an off site/cloud back up?
Do you need help with cryptolocker?
This is a very nasty piece of software. If you decide to pay the ransom, there is no guarantee that the recovery process will work. There are a few things that we can do to try and get some of your data back. Eg. Dropbox files will be encrypted but dropbox has a disaster recovery option that allows you to restore older versions of files. You may also have a shadow copy of your files on your drive. The best thing you can do is turn your computer off immediately and call us. (there’s a chance the software may not have activated if you turn it off immediately) We can help you with options, the clean up process or taking you through the payment process should it get to that.
Please take care and share this with your family and friends. Hopefully it will save someone from suffering as some of my clients have.