CryptoLocker Warning

Ransomware has adapted over the years, becoming more difficult to protect against.

One of the newest and most successful pieces of ransomware can be found in CryptoLocker, which uses a public key to encrypt a variety of file types such as images, documents and spreadsheets. The malware searches for files to encrypt on all drives and in all folders it can access from the compromised computer, including workgroup files shared by colleagues and resources on company servers.

Screenshot of CryptoLocker. If you see this - it's too late!

CryptoLocker installs itself in the Documents and Settings folder, using a randomly-generated name, and adds itself to the list of programs in your registry that Windows loads automatically when the user logs on. It then produces a lengthy list of random-looking server names in the domains .biz, .co.uk, .com, .info, .net, .org and .ru – and then tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds. Once it has found a server that it can reach, the server generates a unique public-private key pair and sends the public key part back to the computer.

Public-Key Cryptography uses two different keys: a public key that locks files, and a private key that unlocks them,” The user can share their public key widely so that anyone can encrypt your files, but only you (or someone to whom you have given a copy of your private key) can decrypt them.

The malware offers to trade money for the private key to unlock the encrypted files. “It pops up a pay page, giving you a limited time, typically 100 hours, to buy back the private key for your data, typically for $300.  Then a warning comes that the server will destroy the key after a time specified, meaning that the files will never be able to be recovered.

Sadly once the public key has been scrambled, only the private key can unscramble it. In other words, unlike other ransomware, there is no known fix.

Worse, the infection vectors make it difficult for consumers to avoid. CryptoLocker arrives via email attachments and botnet – the former is easy to avoid by being wary of unsolicited attachments. Botnets though are a different story.

Most bots, or zombies, once active on your computer, include a general purpose ‘upgrade’ command that allows the crooks to update, replace, or add to the malware already on your PC.

These days it is becoming harder then ever before to avoid destructive software like CryptoLocker.

As I have been advising for years now, never ever open attachments in your email unless you are 100% sure of where and who it came from.  Never go to questionable websites. And finally install well known anti-virus software on your computer and keep it up to date.