The virus is called Cryptolocker and it is a type of Ransomware. Basically this virus will encrypt your data (files and photos) and then you’ll get a ransom note telling you how much to pay if you want your files back. They aren’t kidding.
Note: This is the information we sent to all Help Me Dave clients as the first wave of Cryptolocker was released. New versions of Cryptolocker have been released. Some aspects may be outdated, but the history and origins are interesting.
(Since this was written the original virus creators have been arrested. Paying the ransom doesn’t always work any more, and there are methods to recover data from some – but not all – versions of Cryptolocker).
Dear Client, As you know, we don’t usually send out mass emails but there is a new virus which is a very big threat to your files, and possibly the first virus that we can’t recover your data from, so we’d like to make sure that everyone is aware of it and thinking about what you may need to do to counter this threat.
The virus is called Cryptolocker and it is a type of Ransomware. Basically this virus will encrypt your data (files and photos) and then you’ll get a ransom note telling you how much to pay if you want your files back. They aren’t kidding.
At this stage the files are considered to be unrecoverable (though we are all working to find a way around that), and paying the ransom will actually get you the personalised decoder file to unlock your data. These guys are making serious money and they are putting serious research into staying ahead of antivirus software and any other methods people find to get around them, so the virus is changing very quickly. Please take some time to read the information attached and think about what you might need to do to counter this threat. While the consequences of infection can be very serious there are some simple (and some more sophisticated) measures you can take to protect yourself if you plan ahead. As always Dave will be available to discuss it if you need help.
About the virus
In short – this virus will come to you as a legitimate looking email from Australia Post, UPS or another big company and it will have a .exe file attached that LOOKS like a pdf or other legitimate document. We believe that the document doesn’t actually open, which could be a hint that you have been infected. While you continue working the virus will begin to encrypt your files, and any files it can reach on your server. When it’s finished it will pop up a ransom note telling you where to deposit money if you want your files back. They are using bitcoins which is an untraceable form of internet currency to receive payment. Virus Protection Software is generally not able to stop this virus until it’s too late, but it does require the user to both open the email AND click to open the attachment. We’ve been sent several copies of the emails which were stopped by our spam blocker (not antivirus), so making sure your spam blocker is set up to block .exe files is one of the preventative measures we can take.
What should you do to protect yourself?
1 DON’T open any emails that seem suspicious.
This is standard advice to protect you from all malware, but as you know most viruses can be recovered from. This one has much more serious consequences if you are infected. Not opening the emails can be hard – especially with everyone shopping online for Christmas presents at the moment, it might seem reasonable to get a delivery tracking advice or invoice. Unfortunately that is exactly what the virus creators are relying on. Always check closely before opening the email and if you aren’t SURE that it’s legitimate don’t take the risk. Some examples of known emails are pasted below. You’ll notice that the file names are computer generated, not personalised. Passing this information to all staff and discussing the risks will help to improve awareness and please feel free to forward this email to family and friends. If you aren’t sure how to spot a suspicious email (for this or any other virus) talk to Dave.
2 Have Secure Backups!
If your files get encrypted there’s very little chance of getting them back at this stage, but that’s not too much of a problem IF you have a secure backup! Since it can take some time before you become aware of the virus, nightly backups are not ideal – if your backup gets run AFTER the virus is on your PC but BEFORE it shows you the ransom note then your backup could be corrupt as well. Multiple backups would be preferable – for example one backup that is 3-7 days old and one that is overnight – that gives you a fallback position in the worst case scenario. Backups would preferably be offline so they can’t be infected (in a simple case that could be a thumb drive for small amounts of data). Every business has different backup solutions, so have a think about yours and talk to Dave if you’d like to check or strengthen it. This is a very good time to make sure that your backups are working and still cover your essential data.
3 Keep antivirus up to date
This may help if the version of the virus you get is an older one, and will keep you safe against other malware.
4 For Businesses with multiple employees there are some more specific changes you can make to help reduce the risk.
If you are concerned that one of your employees may open a suspicious file there are some settings that can be changed to prevent .exe files from running even when the employee clicks on it, spam security can be increased to block all emails with zip files, share drives can be set up to avoid cross infection and several other network wide measures can be taken to reduce the risks. Educating your staff about what emails are suspicious is also useful. Malware bytes has some protective features to help with this, and new software specifically targeting this virus is also being written. Dave is researching to stay up to date with the best practise prevention methods to take, and what is practical will vary from business to business, particularly as the virus is evolving to counter strategies that are aimed at slowing it down.
What if I’ve just opened an attachment and now I think it’s suspicious?
If you suspect you have opened a Cryptolocker virus turn your PC off immediately! The virus takes time to encrypt your files, and once the PC is OFF it can’t keep doing damage. Some versions of the virus will apparently tell you not to turn your PC off – that’s because they want to do the maximum damage and then tell you where to pay your ransom. Disconnecting the network cable is also useful to prevent the virus getting back into your shared drives, though once the computer is off network access stops anyway. Once the PC is off call David and he can talk you through any other measures that can be taken and whether you are likely to be at risk. Dave can then remove the virus and copy any unencrypted files to save as much data as possible, or help you restore from a backup. There are some copycat viruses which pretend to be Cryptolocker and show the Cryptolocker screen, and if you are lucky enough to have a fake version these can sometimes be recovered. Some of the older versions of Cryptolocker can also sometimes be recovered, but the ransomers designed newer versions of Cryptolocker to delete your shadow files so that those recoveries would no longer be available.
Samples of Cryptolocker Emails
| Text | Details |
| USPS – Your package is available for pickup ( Parcel 173145820507 ) | USPS – Missed package delivery (“USPS Express Services” <service-notification@usps.com >) |
| USPS – Missed package delivery | FW: Invoice <random number> |
| ADP payroll: Account Charge Alert | ACH Notification (“ADP Payroll” <*@adp.com>) |
| ADP Reference #09903824430 | Payroll Received by Intuit |
| Voice Message from Unknown (675-685-3476) | Voice Message from Unknown Caller (344-846-4458) |
| Important – New Outlook Settings | Scan Data |
| FW: Payment Advice – Advice Ref:[GB293037313703] / ACH credits / Customer Ref:[pay run 14/11/13] | Payment Advice – Advice Ref:[GB2198767] |
| New contract agreement. | Important Notice – Incoming Money Transfer |
| Notice of underreported income | Notice of unreported income – Last months reports |
| Payment Overdue – Please respond | FW: Check copy |
| Payroll Invoice | USBANK |
| Corporate eFax message from “random phone #” – 8 pages (random phone # & number of pages) | past due invoices |
| FW: Case FH74D23GST58NQS | Symantec Endpoint Protection: Important System Update – requires immediate action |
More information about what Cryptolocker does
Cryptolocker arrives as an email with an attached zip file – but the zip file usually looks like a normal pdf. The user opens the email and then double clicks on the attachment. From the users perspective nothing seems to happen, but in the background the virus is encrypting your files and removing the shadow files that would normally allow you to recover them. Meanwhile it is scanning for any mapped network drives so it can encrypt your server and network. When it’s ready and your data is all encrypted it will show the ransom screen asking you for money. It tells you that you have a limited time to pay the money before your unique encryption key will be destroyed, but recently the ransomers have decided to extend the deadline. Now there are ways to pay the money even after the deadline has expired, though of course it will cost you even more. The ransom screen also tells you that if you remove the virus you will not be able to pay them, however they are now offering the service of a website where you can download a new copy of the virus in order to pay the ransom if you have changed your mind. They respond quickly to their customers needs. If you decide to pay (and many people have) they will take a few hours to verify your payment and then begin decrypting your files. Sometimes there are errors and not all files are recovered, but most people who pay the ransom get most of their files back. The amount of the ransom varies and seems to be increasing, we’ve seen estimates from $300 to $5,000 dollars. At this stage most reports do not expect these people to be caught in the near future – the operation is very well set up. The people behind this virus are making millions of dollars per month, so they have plenty of research and development money to keep ahead of the antivirus companies, and to change the virus when anyone finds a way to block it. BleepingComputer says that the ransomers have actually responded to ‘customer’ inquiries which were made on the BleepingComputers forum, and they are monitoring IT forums and newsfeeds so that they can release new versions to beat every countermeasure people come up with. The only thing they can’t beat is you having a secure backup.
Example of the Ransom Screen
This is one version of what you would see AFTER your files have been encrypted.
Should I pay the ransom?
If you’ve clicked on the attachment and your backups have failed then deciding whether to pay the ransom has to be a personal decision. Every person who pays the ransom is funding the next round of research and development to improve future attacks. But all indications at the moment are that paying the ransom will recover your files. In fact the ransomers appear to be working hard to improve their reputation and are actively responding to issues that make it hard for users to use their ‘decryption service’ – (eg problems posted in IT forums have resulted in new code added to the virus to make the retrieval process smoother). They want you to get your data back so the next person will pay. It has even been reported that a US police Department paid the ransom (and got their files back, and were castigated by the media for paying it). Keep in mind that it can be considerably cheaper to pay within the time limit. There are websites that can walk you through the payment and decryption process, though it is quite complicated so Dave can figure it out for you if you decide that is what you need to do to keep your business running. Meanwhile we are taking steps to make sure our backups and network settings comply with best practise in the hope that we won’t have to make that decision.
Further Information and Updates
We will be keeping our facebook page up to date with the latest information – feel free to go to the facebook page https://www.facebook.com/HelpMeDave and comment or ask questions there if you’d like to keep informed. We may send another mailout if there are any critical changes in the future.