The CryptoLocker Trojan malware is delivered via an email with ZIP file attachment which is the most common attack vector. The ZIP payload unpackages and installs itself on Windows target machines only – Windows OS (XP, Vista, 7, 8, and 8.1). What is different about this Trojan is that it encrypts all of your Windows files such as pictures, documents, music files and so on as well as attached network storage. Also, this Trojan contains the spamming bot Cutwail. So be extra careful when opening attachments.
CryptoLocker then demands payment via Bitcoin or MoneyPak within a 72 hour window (it installs a timer on the target machine). Victims who opened the ZIP and installed this Trojan have had to pay a ransom to receive a key (and software, which uses the TOR network, rather than Internet) that unlocks the encrypted files. Once the files are encrypted you are in the hands of the cyber criminals! Over this weekend the cyber criminals have allowed victims to pay after the 72 hour window*, and using MoneyPak, as most victims don’t actually know what bitcoins are.
*You could roll back your Windows clock to allow more time.
NOTE: If you are like us and use full and or folder disk encryption, this Trojan will continue to execute its payload when the volume(s) is mounted, so be extra careful what you click on in emails. Also, antivirus software will remove the Trojan, but if you didn’t block your network connection (upon opening the ZIP attachment), your antivirus software will be ineffective when it comes to decrypting your encrypted data. 🙁
How to protect your Windows OS (XP, Vista, 7, 8, and 8.1) from CryptoLocker
- Make sure you don’t click on an attachment that contains a ZIP from someone you don’t know or don’t have in your contact book.
- Update your antivirus engine with the latest definitions and make sure your firewall has the latest update.
- Download and install utility CryptoPrevent (see bootnote): http://www.foolishit.com/download/cryptoprevent-installer/ and/or
- Download and install utility CryptoBlocker: BitDefender CryptoBlocker tool: http://download.bitdefender.com/removal_tools/BDAntiCryptoLocker_Release.exe
The infection and launch points will be blocked when using either or both of the above utilities. Please note, that these utilities will NOT recover your encrypted data. If your Windows OS data been encrypted, then I suggest you disconnect from your home Wi-Fi and recover from backup or restore point. If this isn’t possible we DO NOT recommend you paying the ransom.
Safe surfing folks!
Bootnote: CryptoPrevent also works on Windows servers. You will however have to utilize Group Policy and create your own rule set, as CryptoPrevent may cause unintended side effects.