Dealing with CryptoLocker ransomware

CryptoLockerRansomwareLockScreen

If you see this CryptoLocker image on your computer screen disconnect your computer from the internet immediately by removing your network cable or turning off the wireless connection. Also disconnect USB storage devices or network shares and turn off any cloud backup services you may use such as Dropbox or Office 365.

Significant numbers of New Zealanders have been dealing with ransomware during 2013. Ransomware is a form of malicious software or ‘malware’ which demands payment to unlock your computer and can often prove difficult to clean up or remove from both PCs and Macs.

CryptoLocker ransomware is the latest variant that now encrypts the files on your computer using a powerful algorithm that cannot be defeated without paying the sum asked for by the cyber criminals.

If your computer is infected with CryptoLocker and you do not have a recent backup of your files your only option is to pay anywhere up to $750NZD to decrypt your data. The lockscreen shown above often sets a limit of 72 hours before the private key needed to unlock your files is permanently deleted.

How are users affected?

CryptoLocker is normally delivered as a ‘payload’ file attached to an email or can be download from a malicious website or via a botnet command and control server if your computer has previously been infected and not properly cleaned up.

We have received to date less than a dozen reports of CryptoLocker infections in New Zealand but in other parts of the world authorities have reported hundreds of users per day finding their files are encrypted.

The most common route of infection is where a computer user opens a malicious file attached to an email, normally an Adobe PDF that begins the file encryption process.

Common email subjects have covered payroll or online banking alerts, parcel delivery dockets and other subjects that might encourage the recipient to open the email and then the attached file.

Once opened, if your Windows computer is vulnerable, the ransomware will start looking for common types of files and encrypting these with a one way method that then means your data can only be unlocked after a fee has been paid for the ‘private key’.

Note: If your computer is connected to a USB drive, local backup device or a network storage system it’s also possible for CryptoLocker to jump onto these systems and encrypt files there too.

The lockscreen may mention payment options including MoneyPak and bitcoins to retrieve your private unlock key. If you do not have your files backed up it is currently impossible to decrypt your files without paying the ransom.

How can I defend against ransomware?

To reduce the risk of your computer files being encrypted you need to ensure good cyber security – this includes learning about current dangers and training all users not to open suspect emails and open dangerous downloads.

Along with educating yourself, your computer needs to be kept up to date and all vulnerabilities in the operating system and software kept ‘patched’. We recommend you:

  • Install, update and use anti-virus software
    Most forms of ransomware are detected by anti-virus programmes so it pays to have up to date software on your computer. Check you have paid for a subscription and/or have download the latest virus definition files that help block dangerous downloads.
  • Backup Everything
    It is essential that you make regular routine backups in case your computer cannot be cleaned and you need to undertake a system restore or rebuild. Note that CryptoLocker also targets USB drives or network shares attached to an infected computer so be careful where you store your backups.
  • Update Everything
    Check Microsoft Security Bulletins and ensure your systems are fully patched against known vulnerabilities. The Java and Adobe ‘helper apps’ are a common weakness on may computers too.
  • Health check your computer
    Use our free downloadable computer security checklist to stay secure online or PC users can use the Secunia Personal Software Inspector to look for weaknesses on their machines.
  • Alert others to prevent more attacks
    Please tell colleagues, friends and family who could be impacted by a ransomware infection about ways to protect their data.

Small business owners should ensure staff are aware of this latest cyber threat and that they understand how to verify the sender of any emails with attached files and do not always open them routinely without pausing to think before clicking.

If you operate a network, no matter how small, consider limiting employee access to network drives and sensitive files. Double check your backup process is genuinely working and cannot be infected across the network. If patching is left to individual employees, spare the time to double check machines have working anti-virus software and are up to date.

What do I do if my computer is infected?

If the CryptoLocker ransomware screen appears it is important to try and limit the impact of the file encryption process:

  • Disconnect your computer from the internet immediately by removing your network cable or turning off the wireless connection
  • Disconnect any USB storage devices or network shares and turn off any cloud backup services you may use such as Dropbox or Office 365.
  • If you are technically confident, consider investigating the registry values for CryptoLocker and terminate the process tree (see details below).
  • If you have disabled the virus and cleaned up your machine, try to restore files either from your own backup process or device or using Shadow Volume Copies, available on Windows machines from XP onwards.
  • You could use System Restore if confident the infection has been cleaned up or consider contacting a local computer expert for assistance and advice.
  • Report your case to our cybercrime reporting point at www.theorb.org.nz.
  • Note: there is no known way to retrieve the Cryptolocker private key without paying the ransom or decrypting the files without this key.

Can I get my encrypted files back? How do I pay the CryptoLocker fee?

If you do not have backups to restore from or are unable to get your data back after consulting a local expert then paying the ransom is your only option.

NetSafe is aware that some users have paid the ransom using bitcoins and then successfully recovered their files. We are reluctant to advise anyone to pay a ransom in this situation but we recognise that this is the only option in some situations.

If you are not familiar with bitcoins, NetSafe has contacted one local New Zealand exchange that is willing to assist those impacted by CryptoLocker with paying the sum to receive the necessary transaction ID.

You can request assistance from BitNZ (www.bitnz.com) by email to contact@bitnz.com or by mobile on 021 114 6387. Payment sent via Westpac can be converted locally into 0.5 bitcoins and transferred to the ransomware contact address. Please note at this current time that one bitcoin equals roughly $1300NZD.

If you are considering this option we would encourage you to contact NetSafe directly on 0508 NETSAFE / queries@netsafe.org.nz or report your case to our cybercrime reporting point at www.theorb.org.nz.

More information about CryptoLocker

File types encrypted by CryptoLocker:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.

Registry Indicators:

The following advice is adapted from guidance published by bleepingcomputer.com and the US Department of Homeland Security and should only be used by confident computer users who understand the potential risks of modifying their computer registry. You risk damaging your machine and/or loosing more data if you are not familiar with the registry.

Delete the Registry values and files to stop the program from continuing the loading and encryption process. It is important to note that Cryptolocker spawns two processes. If you only terminate one process, the other process will automatically launch. You must use a program such as “Process Explorer” and click on the first process and select “Kill Tree”. This will terminate both processes at the same time. The encrypted data can then be restored via a backup.

HKCU\Software\CryptoLocker

HKCU\Software\CryptoLocker\Files (This key reportedly contains a list of encrypted files)

HKCU\Software\Microsoft\Windows\CurrentVersion\Run CryptoLocker = <Reference to file location>

File System Indicators:

Windows Vista and later: C:\Users\<username>\AppData\Roaming\{CLSID}.exe

Windows XP and before: C:\Documents and Settings\<username>\Application Data\{CLSID}.exe