CryptoLocker Virus

There is a new Virus in town.  Beware – this one is particularly troublesome and it’s called CryptoLocker.   It’s most disruptive in that it can infect a workstation and can also damage files on your server.

It’s designed so your Antivirus, Firewall, DNS blocking (OpenDNS for Shelterblue clients) aren’t detecting it until it’s too late and it keeps ‘morphing’ daily so the AV companies can’t pin it down.

How it works:

This virus infects a users’ PC and “encrypts” all your documents, scans and images, then moves on to network drives, USB thumb drives, and USB HDDs after that, AKA, your server.  We call this “Ransomware” as they offer you the option to pay them $300 to remove the encryption on your files, within a 72 hour window, or the files are permanently encrypted.

If you see this screen:

It will probably be on one of your workstations, take note that the popup will say specifically that your files are encrypted and it gives you a countdown to pay the ransom.  Take note of how much time you have left to pay the ransom, thenTURN THE PC OFF immediately, and disconnect the network cable from the back (the one that looks like a phone cable), then call ShelterBlue support immediately.

Since it relies on encrypting the files, there really isn’t an easy way to “clean” this like most maleware/viruses. If your computer(s) are infected with this virus, options to clean this up are very limited:

  1. The infected PC has to be isolated, powered off, and removed from the network.  If it remains in place, it will continue encrypting files on the network until it is turned off.  This PC will have to be completely rebuilt.
  2. Backups will be useful, only if we catch the virus before the backup is overwritten.  For example, if you catch this virus at 6pm you can’t wait until the next day to call us.  Please, even if after hours, call and leave a voicemail and also follow up with an email to [email protected] we need to know immediatly if you see something similar to the screenshot above.
  3. Pay the ransom.  Most ransomware schemes just take your money and run with it, but there have been quite a few reports of people paying in this circumstance and the files were actually restored.  We don’t like doing this as we are financing the bad guys activities and re-enforcing detestable behavior with money.

How to Avoid Cryptolocker

It seems that the most common delivery method is via email attachment.  Always, as a general rule of thumb, do not open attachments from a person or email address you do not trust.  Don’t open attachments from someone you do trust if the email is full of misspellings or is completely off character for the sender.  We’ve seen several reports of this virus being attached to emails that appear to be from UPS, FedEx, or scan to email type emails from copiers and multi-function machines.  We do business with UPS, and when they do send us emails, there are sometimes PDF files attached, but NEVER open an email that has a ZIP file attached.  If you have an email that you are unsure about, please don’t risk it and call us to have us verify that email before taking the chance.

This being said, we will be sending an email with further specific information on our specific efforts to block this virus/Trojan this weekend to all current ShelterBlue support clients.