"CryptoLocker" warning

[Musky]

I usually don't pass on all the dire warnings I get about a current computer virus, but this one that we started seeing late last month is a particularly bad one, so I wanted to pass on the warning as we are seeing more and more cases of it.. 

 

Please friends, do not download ANY "EXE or ZIP" files that come to you in an email, even if they seem to be from a trusted source!

 

There currently no way to reverse the damage and recover your files without paying the ransom!

 

ICryptoLocker: A particularly pernicious virus

By Susan Bradley

 

Online attackers are using encryption to lock up our files and demand a ransom — and AV software probably won't protect you.

 

Here are ways to defend yourself from CryptoLocker — pass this information along to friends, family, and business associates.

Forgive me if I sound a bit like those bogus virus warnings proclaiming, "You have the worst virus ever!!" But there's a new threat to our data that we need to take seriously. It's already hit many consumers and small businesses. Called CryptoLocker, this infection shows up in two ways.

 

First, you see a red banner (see Figure 1) on your computer system, warning that your files are now encrypted— and if you send money to a given email address, access to your files will be restored to you.

 

 

 

Figure 1. CryptoLocker is not making idle threats.

 

The other sign you've been hit: you can no longer open Office files, database files, and most other common documents on your system. When you try to do so, you get another warning, such as "Excel cannot open the file [filename] because the file format or file extension is not valid," as stated on a TechNet MS Excel Support Teamblog.

 

As noted in a Reddit comment, CryptoLocker goes after dozens of file types such as .doc, .xls, .ppt, .pst, .dwg, .rtf, .dbf, .psd, .raw, and .pdf.

 

CryptoLocker attacks typically come in three ways:

 

1) Via an email attachment. For example, you receive an email from a shipping company you do business with. Attached to the email is a .zip file. Opening the attachment launches a virus that finds and encrypts all files you have access to — including those located on any attached drives or mapped network drives.

 

2) You browse a malicious website that exploits vulnerabilities in an out-of-date version of Java.

 

3) Most recently, you're tricked into downloading a malicious video driver or codec file.

There are no patches to undo CryptoLocker and, as yet, there's no clean-up tool — the only sure way to get your files back is to restore them from a backup.

 

Some users have paid the ransom and, surprisingly, were given the keys to their data. (Not completely surprising; returning encrypted files to their owners might encourage others to pay the ransom.) This is, obviously, a risky option. But if it's the only way you might get your data restored, use a prepaid debit card — not your personal credit card. You don't want to add the insult of identity theft to the injury of data loss.

 

In this case, your best defense is prevention

Keep in mind that antivirus software probably won't prevent a CryptoLocker infection. In every case I'm aware of, the PC owner had an up-to-date AV application installed. Moreover, running Windows without admin rights does not stop or limit this virus. It uses social engineering techniques — and a good bit of fear, uncertainty, and doubt — to trick users into clicking a malicious download or opening a bogus attachment.

 

 

Here is the Snopes page confirming this:

 

http://www.snopes.com/computer/virus/cryptolocker.asp

[Joey]

Thanks for the info.

[surfergirl]

Thanks for the heads up Musky.. 
Will pass it on..

[Qapla]

One way to prepare for such a virus is to always keep uninfected backup files of all your documents, etc so you can replace any that do get infected.

 

You can also set up user policy that will not allow an .exe to run from %AppData%\*.exe and/or %AppData\*\*.exe%

 

These efforts may/will help you block/recover from this particular malware to an extent, but avoiding it is the best protection.

[surfergirl]

Good advice John thanks will keep a note of what you suggested.

[trottigy]

Thanks Musky. Just after I saw this - our IT dept. sent out the same thing.

 

Apparently, someone clicked a link from an email   and now some files on the network are encrypted. They are pulling in the backups!!

 

NEVER NEVER NEVER - click on a link from an email!!! - especially if you don't know why it was sent to you 

 

Thanks Bro.

[trottigy]

IT looks like our IT dept had fun over the weekend:

 

 

Good Morning,

 

No additional workstations were identified with this particular malware.  DoIT staff worked over the weekend to recover encrypted files from backups, and implemented new measures to prevent further infections.  We continue to crawl the file servers looking for additional affected areas.   Root cause has not yet been determined, but it is likely that the malware came in via email.   

 

Be particularly on the lookout for emails purporting to be a “voicemail”  with an attachment, possibly even looking like it came from an internal email address.   The City does not use email to forward voicemails – this is a phishing scam.  Do not open the attachment or click on any links, report it to the Help Desk immediately at x4357.   As always, do not open attachments or click on links in emails that you are not sure of the source and contents.   

[Musky]

Mrs Musky has gotten several of these "voice mail" emails the last few days through her Real Estate email server. I am thinking of setting up a test machine and infecting it with this virus to see the damage it does and see how long it takes to do it. Might learn something useful in combating it. 

[Allabord4Jah]

Hi, a brother sent me a email this afternoon and he advised that a new malware virus that has been on the news is really Dangerous and people should be heed and protect themselves.  He wrote the below (I copied from my email) and the rest of you can check the two suggestions that he added to protect oneself from the virus attack.  Hope this helps, I'll get the story from NBC News, I can't recall if I put it in here (the forum), not sure if I put it in Entertainment or Secular News? 

 

This is for real. Take this seriously.

 

Once your system is infected you will likely never get your files back. I have been paying attention to this because part of my job is to check people’s computers in for virus removal once they have been infected and to give advice on preventing infections from occurring. This virus reportedly encrypts your files. That means, for example, that with a Microsoft Word document, if you can even open, it all you will see is garbled characters that won’t even resemble your document. You need a special software “key” that was used to encrypt it to be able to unencrypt it so it is readable information again. From some of what I have read, even if you pay the $300.00 for the “key” to decrypt it you don’t get it. And if you use software to remove the malware your files stay encrypted so they are useless to you. Some people reportedly removed the virus and when that didn’t unencrypt their files they sent the $300.00 to the attackers. The attackers, once they determines that the virus had been removed then demanded $1200.00 for the key to decrypt the files.

 

The company I work for is gathering information on ways to prevent this from infecting your computer. At least currently, once a computer has been infected there is nothing you can do to get your files back. Unless you really know what you are doing it is probably best to take your computer to a known expert to have your computer restored to an earlier point or to have Windows reinstalled.

 

If your computer hasn’t been infected my best suggestion would be to install Malwarebytes Pro. I am waiting for confirmation but according to one of the techs at work and as best I know at this point it will protect you from this attack. There are two versions of Malwarebytes. One is free and the other (Malwarebytes Pro) is $24.95. It is very good, highly recommended software anyway for protection against many types of threats. Even if you don’t get this infection, if you get a different one, not only will it potentially do damage to your computer but if you bring it to where I work we will charge you $99.99 to remove viruses that are removable (some places charge more). So it is cheap insurance. We recommend a good antivirus (particularly ESET) in conjunction with Malwarebytes. You can get both online (www.eset.com and www.malwarebytes.org ).

 

(the last paragraph is just a suggestion, some of you may have other protections that you like and are free.  Malwarebytes.org has a free download on it as well as purchase, no one is obligated to purchase or download any of the above who read this on here)

[trottigy]

Or - the really really hard thing - NEVER NEVER NEVER - click on a link from an email!!! 

 

But - hey - who am I to tell you the free way to handle this.

 

Try the $24.99 or $99.99 option  

 

note: last night I received a call from Microsoft. Apparently, my computer (which wan't even on) was sending "them" messages that it need to be fixed    

 

After a chuckle to myself - and knowing this was a scam - I kept him on the phone as long as I could. Hey, I figured - as long as he was talking to me - he wasn't scamming some older person  

 

After 30 minutes - while I was really watching TV - he asked for a small fee of $29.99 and the kind offer to send me to a website where I could download software that would "fix" my computer.   I bet it would "fix" it all right  

 

The moment I told him I wasn't going to pay the fee - he hung up. Arrgghh, I should have told him I would and given him a fake card number. Maybe I could have kept him on the phone longer pretending to go the website.

Edited November 7, 2013 by trottigy

[GrumpysWife]

At work I get these calls all the time. Then I hand the phone to Frances. She loves to talk on the phone. Her conversations consist of I'm gonna buy me a motorcycle, a red one, I want 2 or 3 of dem. A blue one, a green one. I'm gonna get me one. By then they have hung up.

[jake3328]

Yes a very serious Virus.  I spent four days recovering files from the company's various backup systems (cloud, tape, disk).  The virus stays dormant on the infected computer while it encrypts files and then enters mapped drives to servers and starts to work on them (only xls, xlsx, doc, docx and jpg files were encrypted in our case). By the time the user complained about problems, all his Excel and Word files were encrypted (he lost them all because he did not save them in the home directory on a server) and about 8,000 files on several servers were encrypted. I was able to recover all except 3 files.  Worst virus I have encountered and we have dealt with many.  Backup, Backup, Backup is the only solution that helped us.

 

PS -  When the files were encrypted ownership was changed to the infected user.  This is how I was able to find all the encrypted files.  Used TreeSize professional to find all files on the server with the infected user as owner.  Not all files in a directory were affected,  nor all folders, so i could not do a blanket restore (some unaffected files were updated and a blanket restore would cancel files updated by users).  It was a slow restore, manual restore, sometimes just one file in a directory.  Four days.

Edited November 7, 2013 by jake3328

[Joey]

Can you get it on a tablet? I don't think I have any files on my tablet.I have Apps.

[trottigy]

Can you get it on a tablet? I don't think I have any files on my tablet.I have Apps.

 

It is EXTREMELY unusual to get a virus on a tablet.

 

BUT the rule still holds true - don't click on a clink from an email.

 

Call the person who sent it and ask them what it is - AFTER verified - you might click.

 

note: same for attachments.

[Toy Poodles]

Jerry, that was your only chance to witness to him and you blew it. 

[Musky]

Can you get it on a tablet? I don't think I have any files on my tablet.I have Apps.

 

No, Only the Windows operating system is at risk with cryptolocker.

[1gemstone]

Thank you sooo much Musky.

 

I'm not   opening any email my laptop until after Xmas. People are looking for holiday money. 

[DLM]

"No, Only the Windows operating system is at risk with cryptolocker."

 

This is exactly why I have nothing but Apple computers!!!

[Musky]

Yes, Apple has its own set of viruses and if you get one, you have to send your computer back to Apple to have them fix it.

[Musky]

The people that are behind the "cryptolocker" ransom-ware are now offering customer service! What nerve! LOL

 

http://techtalk.pcpitstop.com/2013/11/14/ransomware-crooks-offering-customer-service/

 

 

Here is a link to a free "anti-crypto" program if anyone is really worried about this threat:

 

http://www.foolishit.com/vb6-projects/cryptoprevent/

[1gemstone]

http://www.foolishit.com< really?

                         ^^

Edited November 17, 2013 by 1gemstone

[Musky]

LOL, Yes, the site address kind of through me off also. But it is "foolish-IT" it sounds a little better that way!

[rocket]

LOL, Yes, the site address kind of through me off also. But it is "foolish-IT" it sounds a little better that way!

 

Question is, is it a legit site or does it put CryptoLocker on your computer?

[Musky]

It was recommended by a friend that runs the I.T department of a large corporation. He hasn't steered me wrong yet. But, it always pays to be cautious.

[shali]

You try it out Chuck and then let the rest of us know! ha!