Threat Name: Cryptolocker
Threat Type: Ransomware
Primary target: Business users, PC users
Date discovered: Sept. 2013
What it does:
Cryptolocker encrypts files and charges a ransom to decrypt (i.e. unlock) them.
The malware searches local and network drives and shares for files associated with popular business applications. Once found, the files are encrypted and the user must pay a fee within 72 hours to unlock them. If the fee is not paid, the files remain encrypted permanently.
The ransom can range from roughly $100 to $1000 and typically must be paid in bitcoins. Reports indicate that paying the ransom can result in decryption (we do not recommend this).
Related - Ransomware: How to prevent a crypto crisis at your business
How it spreads:
Cryptolocker Prevention Kit
Files encrypted by Cryptolocker are all but impossible to unlock without the key. IT service providers should proactively block the malware.
“You don’t want to sit on the sidelines and wait for a customer to be infected,” said Amy Babinchak, Owner of Harbor Computer Services and Third Tier.
Babinchak created a Cryptolocker Prevention Kit to protect her clients. She has since made it freely available, and even Brian Krebs took notice. Most of the information below is based on the kit.
The kit uses a group policy to disallow applications from running in the locations used by Cryptolocker.
“So far, the virus hasn’t really morphed. It’s still trying to use the same locations. It will be really easy to adapt this group policy when it does,” said Babinchak.
How to prevent and mitigate:
How to recover:
Aside from restoring affected files from backup, it is all but impossible to fully recover from Cryptolocker. After 72 hours, the malware destroys the decryption key and the affected files remain locked.
The documents in ThirdTier’s kit also include detailed instructions on how to mitigate damage and recover.
Summary of recovery steps from ThirdTier:
Resources
Bleeping Computer:
CryptoLocker Ransomware Information Guide and FAQ
ThirdTier: