The following information regarding the CryptoLocker virus has been published by LetsDo Business member Michael Donkin of The IT Dept.
This week we’ve come across a couple of instances of clients who have been infected by the fast spreading, and quite nasty, “CryptoLocker” virus.
This virus has changed their desktop wallpaper to become a message from CryptoLocker, which explains that the data on the computer has been encrypted and that the user has 96 hours to pay a ransom in order to have the data decrypted again. Until then they are unable to access any of their data files, such as those created in Word, Excel, etc..
This type of virus is known as “Ransomware”, because you must pay a ransom in order to have your data returned to you. If you don’t pay the ransom all reports suggest that you won’t be able to decrypt the affected files.
The virus runs when you click an infected attachment in an email, or if you visit a rogue website. It isn’t immediately apparent that you have been infected, as it slowly encrypts all of your data in the background, before announcing itself with the desktop message. Sneaky, huh?
It will also encrypt any files it can find through Network Shares, external hard drives, Dropbox type storage (where there is a “mapped” drive), etc. Any data that can be seen in Windows Explorer could be affected.
In the case of the first client to report this issue we were able to successfully remove the virus and to then restore all of their data from the Online Backup service that we provide them with. A bit of a scare, but no serious harm done.
Sadly, the second client didn’t subscribe to this service, in favour of holding their backup on an external hard drive. As this was attached to the computer when the virus did its work, the external drive was also encrypted. Oops.
Whilst we could clean the virus itself off the computer, we weren’t able to get any of their data back. The ransom requested is £200, so they are deciding whether or not to trust that paying out this money will actually lead to the data becoming usable again. It has also been reported that the ransom demanded could rise substantially once the initial 96 hour time period has elapsed.
There are a number of lessons to take from this problem:
1. Always keep a backup copy of your data away from the computer. This may be through a Secure Online or “Cloud” based backup system, or simply by backing up to two or more separate hard drives, keeping one of them off-site at all times, (in the car for instance).
2. Take a backup copy on a very regular basis. It isn’t enough to do this job weekly if you can’t afford to lose the last weeks’ worth of data. A daily or twice-daily backup schedule is recommended.
3. Test your backup regularly. Can you restore data if you have to? Rename a file and try to restore the original file from backup. Do the two files match?
4. Viruses almost invariably come in emails these days. By far the most common method is via a “Zip” attachment. Who ever sends Zip attachments to you? Certainly not the banks, PayPal, the Government, Amazon, or any parcel delivery companies! Don’t trust any Zip attachment. In your email programme the attachment name should include a 3 or 4 letter suffix (e.g. .pdf, .docx, .zip, etc.). Zip files are bad news unless you know that someone is sending you such an attachment. (Anything with two such suffixes is also bad news, such as .pdf.zip, .doc.exe, etc.)
5. Never believe that the Sender address of an email is where it has actually come from, as this is easily spoofed. Emails which appear to have come from someone that you know and trust are an easy way for virus writers to fool you into opening their attachments. Read the text first and wonder, “Does that sound like this particular Sender, and why would they have sent me this attachment?” If the attachment is a Zip file, don’t trust it regardless of whoever appears to have sent it!
6. If there is no attachment then the email may be trying to trick you into visiting a rogue website. Never click a link held within an email, but instead open your internet browser and type the address of the required website yourself. (Or, keep your most used websites – such as online banking or PayPal etc. – in the “Favourites” or “Bookmarks” of your internet browser).
7. Don’t place too much faith in your anti-virus software. Virus writers use Zip files as these are much harder for anti-virus programmes to read. Also, if you decide to open a file the anti-virus software may simply allow you to do so, otherwise it would be in danger of constantly nagging you, to the point where you would turn it off anyway.
There is much more information on this particular virus in a well written, if lengthy, Blog at Bleeping Computer.
That Blog includes a link to a free programme which can attempt to prevent CryptoLocker from being able to run on your computer in the first place. This can be downloaded from http://goo.gl/xHvKLu, although The IT Dept cannot take any responsibility if you do install such 3rd party tools.
Let’s Do Business – Lancashire’s b2b Networking Group
© Let’s Do Business 2017