Archie Bell's picture
Archie Bell
21st November 2013

Cryptolocker Malware

We don’t usually get excited about the latest malware news doing the rounds because it’s usually too late and far too vague, but this one has the potential to cause a bit of trouble.

Cryptolocker is a ransomware trojan which, if acquired and activated, will attempt to encrypt your files and then require payment for the key to release them. It’s clever, devious, and uses some crafty scenarios to trick you into releasing it.

The virus is likely to be wrapped in an attachment to an email. The email will be very plausible, asking you to open the attached file. The attached file is likely to be a zipped archive file, with the payload inside. The filename of the payload is likely to be so long that you can’t easily see the suffix, which might otherwise give it away as an executable (.exe) file.

There’s a basic description on the BBC website here, and a not-too-technical description here.

Sophos Anti-Virus have more details here including a video showing Cryptolocker in action, and links to the technical details.

What Are Excellimore Doing to Help Me?

Our standard computer configuration still holds good. We don’t allow computer users to use their machine under a user account with network administration privileges, and that is a huge defence against all sorts of malware.

All our clients have an up-to-date anti-virus package installed, usually Sophos.

The Cryptolocker trojan installs itself to an unusual location on an infected computer, and we have taken measures on all our clients’ networks to prevent executable files running from that location.

However, it’s an ongoing battle between the malware writers and the anti-virus good guys, so…

What Can I Do To Avoid Infection?

Firstly, be aware – if an email looks suspicious, it probably is. If it’s unexpected, perhaps from a bank you don’t have an account with, or has poor grammar and spelling, or if it just smells wrong, then delete it. If it was important, they’ll write again.

Secondly, consider your backup arrangements. Excellimore clients have commercial-grade incremental backup arrangements in place which will mitigate any effects, but watch your home computer backup.

Synchronising files to another drive or the cloud is not an effective defence. An encrypted file will be seen as having changed, will synchronise to your backup drive and over-write the unencrypted original, and then you’re snookered. Use backup software which preserves previous versions of your files; then you can roll back to those if you have to.

Thirdly, the Cryptolocker trojan does take some time to work through files to encrypt them; minutes or perhaps even hours. It will attempt to encrypt files on any server drives it can reach as well as your PC or laptop. If you think you’ve activated Cryptolocker on your computer, switch the machine off immediately to stop it doing more damage and get help.

And If The Worst Has Happened?

Removing the trojan itself is straightforward though time-consuming.

However, as far as we know at the time of writing, there is no way around the encryption other than giving money (around £300 – £500) to criminals. Ironically, it does seem that the key is delivered on paying up.

If you think you have a problem, you should review the backups you might have, consider the options available, and take action accordingly. You might find it easier to accept the loss of a few hours of data rather than paying cash to criminals.

If you’re not sure of your exposure to this or any other malware or hacking exploits, would it make sense to call us for a chat?