RansomWare what to know…
We recently had a new client come to us with the CryptoLocker virus on a PC. This was the first time we’d encountered a RansomWare virus in the wild and by all accounts it is one of the more destructive malware variants that we’ve met so far.
What is it?
RansomWare is a type of malware that infects a computer and restricts it’s usage until you pay a ‘ransom’. In the case of CryptoLocker that ransom is either USD $100 or $300 depending on the variant. This particular strain encrypts all common files (word processor, spreadsheet etc) that the infected computer can access, this includes server shared folders and Dropbox shares. The only known way to decrypt is by paying the ransom or resorting to backups to restore the files from previous instances.
How to remove?
The malware can be removed with most common anti-malware tools, Malwarebytes anti-malware software is our favored tool in the office. The issue is not it’s removal but the restoration of the encrypted documents. Without the key (which is stored with whoever is responsible for this malware) decryption is not possible. One note if you are paying the CryptoLocker ransom, the Moneypak card that it mentions is the scratch off green variant and not the visa gold card that is also available from the same vendor.
How to prevent?
- Have an up to date Anti Virus on all your PC’s – This will help but DO NOT assume that it is sufficient on it’s own
- Have email filtering in place
- Have a firewall in place with content filtering (Cisco reported this variant in August and was already catching these items)
- Ensure users do not open emails with attachments that they would not be expecting. (e.g. UK land registrar)
- Have a full backup procedure in place with more than 1 version (the encryption can take place over many days and if you are only using a couple of tapes, or 1 online backup version you may be backing up encrypted information and overwriting the good versions)
- Use Shadow Copy on your Windows PC’s and Servers
- Implement a robust Group Policy to prevent ransomware and other harmful malware from being able to run on local computers
Up to date information on the ‘CryptoLocker’ Variant can be found at: