PSA: Cryptolocker

Due to many users (on and off our network) being infected with the Cryptolocker Ransomware/Virus, I’ve decided to put together this blog entry summarizing the issues, and prevention.

Firstly, I’ll link my primary sources for information for this article:

To summarize for the non-technical, it’s pretty bad. The virus will silently infect your computer, encrypt every useful document on the system, and then demand $300 for the key to get your files back. The encryption standards the attackers use are rock solid; so far I haven’t heard any reports of anyone decrypting files without paying the ransom. On the ‘bright’ side, it appears that the attackers really do decrypt your files if you pay up. This is in their best interest, as now that word is getting around that it works, people will indeed pay the ransom demands.

My best advice for residential users: As always, never, ever open attachments in emails that you were not expecting. Always check the From address (not foolproof), the addresses of any links in the email (better, still not perfect), etc. If anything is unusual about the email, call that company before you open the attachment. Most of these virus emails (especially Cryptolocker) claim to be from businesses: ADP, UPS, FedEx, etc. If you aren’t absolutely certain that the email is legitimate, don’t open attachments! Even viewing non-executable files such as documents can result in viruses.

For business users, Active Directory Group Policy can save the day on prevention at least. Here’s a Microsoft Technet article about Software Restriction Policies. Per my internet research, it looks like blocking the following should stop Cryptolocker before it starts. (The rules may be redundant, I’m unfamiliar with Windows path wildcards.)

  • %AppData%\*.exe
  • %AppData%\*\*.exe

If you decide to pay, once you get your files back, be sure to back them up somewhere safe, and have the computer completely reformatted and the operating system reinstalled. If you aren’t familiar with how to do that, any local PC repair shop would be happy to help you out. Reload the backed up files after you’ve done this. So far indications are that the malware does leave some lingering processes on your machine, so presumably if they get you once, they could decide to come back for more. Better safe than sorry with viruses.

I’ve also heard that there is apparently an IRS form, something along the lines of loss by theft, that will at least allow you to deduct from your taxes if you’re hit by this. Disclaimer: We’re not tax experts, please consult a tax expert before deducting things like that from your taxes.