I was going to write this, but Dave Cunningham, Alvaka’s Business Technology Officer, beat me to it. So here it is in all it’s timeliness.
Please be advised that Alvaka Networks is notifying its clients and partners of a particularly malicious and destructive form of malware or “Ransomware” referred to as CryptoLocker.
Whereas the vast majority of malware is designed to silently replicate with minimal impact to users, CryptoLocker is specifically designed to extort money from its victims. If the ransom is not paid within 96 hours, the users’ files are irrevocably lost.
When a computer is infected with Cryptolocker, its files are encrypted, and there are only 3 methods to recover the files:
1. Recover the files from a backup system, or
2. Recover the files using System Restore, if enabled, or
3. Pay a ransom ranging from $300 to $2,100 per computer
When the ransom is paid, the criminals will forward a unique encryption key which can be used to decrypt the files. However, this key is deleted and not available after 72 hours, which effectively renders encrypted files as permanently lost.
We must emphasize that, once a system is infected with CryptoLocker, there are no other known remediation methods available. Disk recovery services will not work. Attempting to “clean” the infection with anti-virus software will not work, and may actually prevent a ransom-purchased encryption key from functioning. Brute-force decryption is not feasible given the length of the encryption key. Resetting the computer time to an earlier date will not work.
Recommendations to prevent CryptoLocker infections
1. Instruct users not to open attachments from unexpected e-mails. The malicious e-mails appear to be customer-support related messages from trusted names such as Fedex, DHL, UPS, etc. or they appear to be related to wire transfers. These messages are very deceptive and are tricking experienced users that are not usually fooled.
2. Configure e-mail systems and spam filters to block e-mails containing .zip and .exe attachments. Note: even if corporate e-mail systems are configured to block these attachments, users can still receive infected e-mail from web-based personal e-mail systems such as Gmail and Hotmail.
3. Create Software Restriction Policies that block executable programs from running when they are located in specific paths. For more information, please see these articles from MS:
a. http://support.microsoft.com/kb/310791
b. http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx
4. Avoid mapping network shares to drive letters. CryptoLocker does not encrypt data on a network through UNC shares.
5. Confirm your data backups are recoverable.
What to do if you are infected by CryptoLocker
The following banner is displayed to users when their systems become infected with CryptoLocker:
If a system is infected, it is recommended you:
1. Immediately unplug the system from the network.
2. Turn off the system.
3. Contact an IT Security Professional.
4. Do not attempt to clean the system using Antivirus software. Doing so may prevent you from decrypting the files should you opt to pay the ransom.
While Alvaka Networks is available to assist our clients to mitigate CryptoLocker infections, all such efforts are performed on a best-effort basis, and successful outcomes are not guaranteed. Alvaka Networks is more effectively engaged on a proactive basis to prevent such infections by protecting and educating our clients.