I’ve recently heard of a brutal new kind of malware. While it is considered part of the ransomware group of viruses, Cryptolocker appears to carry a more unique payload. Once Cryptolocker infects a Windows PC, it encrypts a number of files on the local computer and expects payment for a decryption key. Right now, this software appears rare, and reports are out there, I hadn’t gotten my hands on a computer with it until today. What follows are some thoughts and observations.
If you’re looking for details on what Cryptolocker does, there are several locations on the web that dig deeper into this virus, and the effect it has on files. Probably the most unique problem right now is that there is no known way to circumvent Cryptolocker’s encryption [1]. I was more than curious about the effect this new software would have on a user’s computer – and what kinds of data recovery options might present themselves.
1. Look for the files that haven’t been encrypted. CryptoLocker appears to target certain files. Make sure you find what files are still ok and keep those, it may save you a lot of work. Since only a specific number of file extensions are subject to scrambling, use a quick file viewer to verify which files are changed. On my infected target computer, I was able to identify accounting data that was left untouched. Don’t assume everything is lost and delete too much.
2. I looked at the Shadow Copy service in Windows. If CryptoLocker hasn’t destroyed previous copies, you’ll be able to get those files back. In this case, there were only two post-infection shadow copies available with no unencrypted files. A useful tool called ShadowExplorer can help work with shadow copies.
3. If you use Dropbox and have files syncing with that service, Dropbox creates file versions. Use this to get your file’s most recent good version – as well as determine the time of infection. You may get a file back, but doing it in DropBox’s web interface, one file at a time, will be painful.
4. System Restore will not help you. System Restore will only restore programs and system state (and not data files).
5. Currently there is no known way to decrypt files affected. While paying the ransom is a deplorable idea, this may be your only option. Consider keeping encrypted files on a storage medium, a way to defeat this encryption may be possible in the future.
Some other thoughts
You’ll want to Make sure Shadow Copy / File Versions is enabled in Windows. It’s not exactly clear if Crypolocker alters the service after encryption, but it may just save your bacon. If you back up to the cloud, ensure it is to a place that supports versioning. Dropbox does [2], so use that or an external backup location that can’t be accessed by your computer.
I have not seen this virus interact with Windows servers and file shares yet. Given that encryption reportedly extends to mapped drives, be sure you are not logged into your computer with domain administrator credentials when infected.
Or, well, get a Mac.
Various Updates
An interesting tool called CryptoPrevent seeks to control access to the folders used by CryptoLocker. This may be a method to protect you in the short term (until major virus scanners begin to recognize this malware). It’s work a look. Using Group Policy is also a way to protect machines inside a domain.
Also, a video of CryptoLocker in action has surfaced. I expect the virus to drastically morph from its initial release, but at least you can get an idea of how this works in the video.
Word is that authorities have shut down the vast network and are on the hunt for Evgeniy Mikhailovitch Bogachev, the person at the center of CryptoLocker’s operations in Russia.
There appear to be a free decryption tool thanks to FireEye and Fox-it. Files encrypted by Cryptolocker need to be uploaded to decryptcryptolocker.com and Cryptolocker’s key can be discovered. No word yet on the efficacy of this tool. This tool is likely not to work with variants of Cryptolocker.