The latest malware monster is called Cryptolocker (usually, though not always, spelled with no space between "Crypto" and "Locker"), which encrypts your data and holds it ransom unless you pay $700. Apparently, in this age of Bitcoin, authorities cannot track these transactions.
There's one simple way to prevent infection. I'll discuss this tactic toward the end of this post.
First, let's learn about more about our enemy:
More specifically, the Crypto Locker virus is typically spread through emails that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails contain a zip attachment that when opened will infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.
This description is slightly wrong: Cryptolocker is a trojan, not a virus. But let's not be pedantic. Most people allow for a fairly elastic definition of "virus."
The insidious thing about Cryptolocker is the fact that you can get rid of it easily -- but your data files will remain encrypted. The only way to decrypt your stuff is to pay the money.
None of your drives are safe. Even files "in the cloud" will be encrypted if you have an "always on" link to your cloud storage. Cryptolocker can reach anything that Windows Explorer can reach.
from the UK's the Register:
The software nasty is particularly fiendish: The malware first contacts its master's control server, which generates a new public-private 2048-bit RSA cryptographic key pair and sends the public half to the malware.
Then for every file discovered on the computer, Cryptolocker generates a new 256-bit key and uses it to encrypt that document using the virtually unbreakable AES256 algorithm. That AES key is then encrypted using the RSA public key and stored with the obfuscated document.
Only when the victim pays up does the Trojan download the private half of the RSA key, which is used to decrypt the per-file AES keys and ultimately restore all the protected documents. Targeted files include anything with .doc, .docx, .xls, .xlsx, .ppt, .pptx, .dwg, .dxf, .dxg and .jpg extensions and plenty more.
From the Wikipedia
article (which says that the ransom may be as low as $300 -- such a bargain!):
Security software might not detect CryptoLocker, or detect it only after encryption is underway or complete. If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (which itself is a relatively trivial process) would theoretically limit its damage to data.
According to this article
, the Christmas season may see a flurry of fake emails from shopping sites like Amazon. Be extremely paranoid about all
attachments and downloads.
The Cryptolocker malefactors are very businesslike. They've even come up with a user-friendly app
for people who are having trouble figuring out how to use Bitcoin:
“This service allow [sic] you to purchase private key and decrypter for files encrypted by CryptoLocker,” the site reads. “Customers” of the service can search for their “order number” simply by uploading any of the encrypted files.
“They’re calling it an ‘order,’ as if victims posted an order at Amazon.com,” Abrams said.
The Sophos Virus Removal tool
can get rid of Cryptolocker. I've used free apps from Sophos for years and can recommend that company's products without reservation.
Alas, you may not know that you have the trojan until after it has encrypted your files. At that point, removing the malware from your system could be harmful: Once the trojan is gone, you won't be able to decrypt your files, even if you pay.
says that Cryptolocker may "piggyback" atop malware already on your system, so it behooves you to use every reliable tool available to keep your system clean.
claims to have a method of removing the virus in safe mode. (When I tried out Windows 8 -- which I hated, of course -- I was dismayed to find out that 8 doesn't have
a safe mode. Has that situation changed?)
You may also want to look into this Cryptolocker prevention kit
. And this fellow
has an app called CryptoPrevent.
One excellent preventative measure is very simple: Refrain from opening any attachments -- however innocuous -- from people you do not know very well.
Obviously, security experts would advise you to keep backups on non-attached external drives of everything important. But even in these days of cheap hard drives, backing up several terrabytes of data is pricey. And routinely
backing up to drives that are normally not attached your system can be annoying.
Here's one simple preventative measure that few people are talking about: Although Windows hides file extensions by default, it is easy to change this behavior and show your file extensions at all times.
When you can see the extension, you'll be able to see at a glance whether or not that "pdf" file really is a pdf file.
On Windows 7, just open up Windows Explorer, hit "Organize" (way to the left), scroll down to "Folder and Search Options," hit the "View" tab, then go down until you see the words "Hide extensions for known file types." Make sure the box does NOT have a check.
And that's it. You are now much safer. I've had my system thus configured for years, because I like to see exactly what I'm dealing with.
Another tip: Make sure that no other computer on your home network can access your data. You don't want to lose your stuff simply because your kid got sloppy about computer security.
Some of you will consider this post your cue to moan the familiar moans about how awful Windows is. Look at it this way: If all Windows installations were to disappear tomorrow, then some other OS would be the most popular. And that OS would then become the primary target of hackers, bringing us right back where we started. So complaining about Microsoft is pointless -- and annoying.
(But you're going to do it anyways, aren't you?)