Published November 11, 2013
There’s a new type of malware that has been spreading like wildfire over the past couple of months called CryptoLocker. Most security researchers are claiming that this is one of the nastiest and most successful computer viruses ever: CryptoLocker is currently infecting Windows operating systems all across the United States and in other parts of the world. The virus is part of a generically named family of malware called “ransomware,” and its main function is to encrypt your files and “hold them hostage” until you pay a fee to have them decrypted.
The CryptoLocker virus is passed around in emails that include attachments. The criminals send emails claiming to be from well-known companies like UPS, USPS, PayPal or FedEx in order to trick users in to thinking that they are legitimate and safe to open, but of course they aren’t safe at all. Instead, when a user attempts to open up the attachment, the computer becomes infected and the virus locks files on the system until the ransom request is paid. Most often the attachments will be disguised as JPEG images, ZIP files, PDF files and various types Microsoft Office files (mostly Excel and Word documents).
After a computer becomes infected, users are given 100 hours to pay a fee between $100 and $700 to get the files decrypted. The version of the virus that we’ve been seeing on infected machines have been asking $300 dollars for the decryption key. So far, it appears that the virus only encrypts data files with certain extensions, including Microsoft Office, OpenOffice and other documents, pictures, and AutoCAD files.
The file paths that have been used by this infection and its droppers are:
In order to block the CryptoLocker and Zbot infections, certain Path Rules have to be implemented within the system so that they are not allowed to execute. There is a manual process to create these Software Restriction Policies easily, but thankfully a company called FoolishIT has created a utility called “CryptoPrevent” that automatically adds the appropriate series of Software Restriction Path Policies to a computer in order to prevent CryptoLocker and Zbot from being executed.
If you get an email that includes any type of attachment, use extreme caution and make sure you know who the sender is BEFORE opening it. If you don’t know who the sender is, or if it appears to be from one of the companies mentioned earlier DO NOT OPEN IT!!! Just delete the email. If you start seeing the CryptoLocker demand screen, please shutdown your machine immediately and call your IT administrator for further assistance. If you’re a current New River Computing client, please contact us ASAP if you see the CryptoLocker message on your screen.
Below is an example of what the CryptoLocker demand screen looks like.
One important feature to make use of in CryptoPrevent is the option to whitelist any existing programs in %AppData% or %LocalAppData%. This is a useful feature as it will make sure the restrictions that are put in place do not affect legitimate applications that are already installed on your computer. To use this feature make sure you check the option labeled Whitelist EXEs already located in %appdata% / %localappdata% before you press the Block button.
It is available from the CryptoPrevent download page.
Once you run the program, simply click on the Block button to add the Software Restriction Policies to your computer. If CryptoPrevent causes issues running legitimate applications, then remove the Software Restriction Policies that were added by clicking on the Undo button.
For a detailed analysis of the CryptoLocker virus please check out this excellent Bleeping Computer CryptoLocker article .
Detailed information on the CryptoPrevent tool developed by FoolishIT's CryptoPrevent page.