Everything you need to know about CryptoLocker and other ransomware

When and why should you restart your computer?
May 3, 2016
Three things about computers your employees should know
May 23, 2016
Show all

Everything you need to know about CryptoLocker and other ransomware

CryptoLocker is the name of a specific piece of malware that was taken down by the United States Department of Justice in 2014. However, the original CryptoLocker virus was so successful that a number of people have copied its format, and some have even given their clones the same name. Other versions are named CryptoWall or TorrentLocker.

cryptoThese viruses are actually ransomware trojans, which infect a computer system and then encrypt its documents, pictures, and other files. This makes the files completely inaccessible to anyone who doesn’t have the encryption key. If the computer is connected over a network to a server that hosts file shares, those shares can be encrypted as well.

Once the files have been encrypted, a message will appear on the screen to notify the user and demand a payment for decrypting the files. The payment amount is often listed in bitcoins, and usually comes out to around five hundred dollars.

Most computers are infected when a user runs an executable file containing the trojan. The file is typically sent through email, and has an innocuous filename such as “resume.doc”, so users are unaware that they are opening an executable file. This also makes businesses an easy target, as hiring managers will open many similarly-named files each day.

How to avoid it

horse1Unfortunately, no antivirus software has been one hundred percent effective in catching CryptoLocker infections. Many will never catch it.

The best way to prevent an infection is to set up email filtering that blocks emails with attachments containing executable files, and to educate all users about the risks of opening attachments from email addresses they don’t recognize, even if the email content doesn’t immediately seem suspicious.

Even these precautions may not be enough, as ransomware trojans continuously evolve to evade most security systems.

How to prepare for it

There is no guarantee that paying the ransom will get the encrypted files back, and even if it did, five hundred dollars is a high price to pay for a single mistake.

It’s best to prepare for a possible CryptoLocker infection by frequently backing up all files to an external location, so that only the most recent changes will be lost. If only a server is being backed up, and not local machines, then users need to ensure that they are saving all of their files to network drives hosted on the server.

How to handle an infection

It’s important to be able to recognize an infection quickly. The most common sign is an error message warning that a file or document has been corrupted when the user attempts to open it. This is because the computer can’t tell the difference between file corruption and file encryption. If this error occurs before the user receives the ransom message, it means the trojan is still in the process of encrypting files.

Even if the user doesn’t notice the infection before they receive the ransom message, it’s still important to react quickly, as a fast response can prevent the trojan from accessing any network drives and encrypting files on a server.

To prevent the infection from spreading, the computer needs to be completely turned off and disconnected from the network. The computer can be turned on again, but only once it is in the hands of someone who can complete the next steps. This is when your IT team or MSP should take over.

A black leather attache full on 100 dollar bills on the table.

They will need to remove all files put in place by the trojan and, depending on whether it has progressed far enough to encrypt operating system files, may need to completely wipe the machine and do a fresh installation of the operating system. After that, files can be restored from the most recent backup of the computer. Any settings that were previously in place may need to be recreated manually, and software will need to be installed again.

This is a process that can take hours at best, and may take several days if the infection has spread to other computers or to the server. If the server has been infected, no network drives can be accessed until it has been cleared of malware.

This can greatly impact workplace productivity. It’s important to take a potential CryptoLocker infection seriously and make sure all employees are fully educated about ransomware trojans in order to decrease the likelihood of it occurring.