CryptoLocker: A particularly pernicious virus

Wndows Secrets ^ | October 24, 2013 | Susan Bradley

[brityank]

CryptoLocker: A particularly pernicious virus

 

By Susan Bradley on October 24, 2013 in Top Story

Online attackers are using encryption to lock up our files and demand a ransom — and AV software probably won’t protect you.

Here are ways to defend yourself from CryptoLocker — pass this information along to friends, family, and business associates.

Forgive me if I sound a bit like those bogus virus warnings proclaiming, “You have the worst virus ever!!” But there’s a new threat to our data that we need to take seriously. It’s already hit many consumers and small businesses. Called CryptoLocker, this infection shows up in two ways.

First, you see a red banner (see Figure 1) on your computer system, warning that your files are now encrypted — and if you send money to a given email address, access to your files will be restored to you.

Figure 1. CryptoLocker is not making idle threats.

 

[brityank]

WS does a pretty good job of keeping tabs on the Microsoft stable, and cleaning up most of its crap!

[mreerm]

more info

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

[leapfrog0202]

Good info, thanks!

[Tracker47]

I had this hit me. I reset the registry using the “restore” feature in Windows 7. Start in safe mode, then just reset the registry to a version previously saved. I went back 3 months.
Hope it helps somebody.

[virgil283]

good article brityank...anybody know if sandboxie protects from this??

[Boogieman]

We got hit by this one. According to some victims, if you pay the money, they will decrypt your files as promised. Otherwise, you better hope that you have a backup, or you are screwed.

[Boogieman]

That might stop the virus from running on startup, but it won’t decrypt any files that the virus has encrypted already. It seems to target Word and Excel files, and Adobe PDFs in some variants, and will even encrypt networks shares, if the infected computer has enough permissions to modify files across the network.

Luckily, the virus author did not set the virus “warning” message to display only after the encryption routine finishes. So, if you eliminate the virus as soon as you see the pop-up, you can probably stop it before it gets through all of your files.

[Boogieman]

The virus targets data files. So if you are running in a sandbox or VM environment, sure, you can reset your OS and not be infected anymore. However, any data files that it has encrypted will still be encrypted.

[polymuser]

So, what if I encrypt my files first?
Can they be re-encrypted?

[brityank]

Wow! Many thanks.

[Junk Silver]

Public hangings are too good for the vermin perpetrating these crimes.

[GeronL]

Whoever is doing that should be put away for life

[ShadowAce]

[GeronL]

interesting question

[brityank]

So, what if I encrypt my files first?
Can they be re-encrypted?

Go read through the link that mreerm posted in #3.

It gives the following listing:

CryptoLocker will then begin to scan all physical or mapped network drives on your computer for files with the following extensions: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c. When it finds a files that matches one of these types,it will encrypt the file using the public encryption key and add the full path to the file and the filename as a value under the HKEY_CURRENT_USER\Software\CryptoLocker\Files Registry key.

[GeronL]

Almost as bad as the ObamaCare website

//kidding

[Billthedrill]

Some advice from a guy who has been around this block a few times:

1. Back up frequently to an external drive that you turn off or disconnect afterward.

2. Keep personal data on removable media - thumb drives - and only keep temporary work copies on your hard drive.

3. If you get zapped by these clowns, slick your box, restore from your last backup and laugh at them.

[Boogieman]

Yes, an encrypted file can be encrypted again.

[Sergio]

tech bkmk

[tacticalogic]

Does it break of you create that registry key and set the permissions so the virus can’t write to it?