IT Services warns about CryptoLocker malware

  Public
By: 
ddevenney

The IT Department published this article about 18 months ago when CryptoLocker was brand new. We’ve had numerous reports of encrypting “ransomware” like the CryptoLocker malware described below hitting Canadian universities over the past week so we thought this would be good time to remind you all to be careful with the attachments you open and the websites you visit.

We’ve all had emails show up in our inbox warning us of the latest computer virus, describing in great detail the nasty things it would do to our computers and quoting some “expert” as saying this virus is the worst yet.  You know the ones I mean, right?  They’re almost always fake and as a result we’ve become conditioned to ignore them. For that reason we in the IT world try very hard NOT to circulate emails warning about the latest threat.   However, we occasionally encounter one that has genuine potential to do great harm and then we have to reach out in any way we can to make all of our staff aware of the potential threat.  This is one of those occasions.

Recently a new piece of “malware” (malicious software) called “CryptoLocker” began to appear and almost immediately security experts became concerned.  What this malware does is it scans your computer, any attached USB hard drives, network shares, cloud storage sites, etc. looking for certain files - popular ones like pictures, Word and Excel documents and other business-related files.  When it finds the files it encrypts them, preventing you from opening them unless you have a special key.  The final step is to display a warning screen informing you that your files have been encrypted and that you have 72 hours to pay a $500 USD ransom to get the software key you need to unlock the files.  If you don’t pay, the bad guys will delete the unlock key from their servers and you will not be able to unlock your files. 

The bad news is that, once your files have been encrypted, there is no way to unlock them without this special software key. Your anti-virus program can remove the CryptoLocker software that did the encrypting but it can’t recover the files.  The only way to restore your data is from a backup that you have previously created.  What’s worse is that there are numerous reports of people paying the ransom, receiving the key and then finding out that it doesn’t work and that their files are still locked. 

You can understand why we’re concerned.  A single computer infected with CryptoLocker could result in large portions of our network drives being encrypted, which would make it difficult if not impossible for staff to work as well as create huge amounts of work for the IT staff. 

The IT staff has taken precautions against this malware however we need your assistance to ensure that it doesn’t find its way into our network.  CryptoLocker is typically spread via:

  • Emails sent to company email addresses that pretend to be customer support related issues from FedEx, UPS, DHS, etc. These emails would contain an attachment that when opened would infect the computer.
  • Email attachments disguised as PDF files.
  • Infected images, links, files, etc. located on hacked web sites that exploit vulnerabilities on your computer to install the infection. This is often called a “drive-by” attack.
  • Through Trojans that pretend to be programs required to view online videos.

You can help prevent this malware from infecting your computer by:

  • Being suspicious of email attachments, particularly .PDF, .zip and .tiff files, especially from external sources.  If you’re not expecting it or if it has an unusual name like “Form_nfcausa.org.zip” then please DO NOT open the attachment without confirming with the sender that they indeed did send you this file.
  • Do not install programs that a website prompts you to install.  For example, if you’re on a site and want to watch a video but get prompted to install the site’s video “player”, don’t do it. 
  • On your home computer, keep your anti-virus / anti-malware software up-to-date.
  • Back up the files on your home computer.  If your home system was to become infected with CryptoLocker this could be your only way of recovering your data.
  • If you back up files on your home computer to a USB portable hard drive, disconnect the USB device after the backup has finished.  CryptoLocker will search out and encrypt connected USB drives so by disconnecting your USB drive you’ll keep your backups safe.
  • Contacting Computer Help Desk immediately if you have any concerns that you may have opened a questionable email attachment or website link. 

CryptoLocker has the potential to do great harm to our business networks.  We’re doing what we can to prevent this from happening but we can’t do it without your cooperation.  Please be vigilant.