Cryptolocker Virus – The business killer – Beware!

It is being called the business
killer and it can certainly kill your business if your system gets infected.
The Cryptolocker is perhaps the most harmful piece of Malware (or Ransomware)
that was ever devised.

Infection comes through an email with a harmless looking
attachment.

The email usually looks like a message sent from a Xerox machine
with an attachment of a scanned document but reports are coming in that this is
not the only type of message that is being used as a carrier. Once the user
opens the attachment, nothing seems to happen but in the background the malware
program will start encrypting your files one by one and will continue to do so
until it completes this process on all your disk drives. Your anti-virus reports
an infection and attempts to contain it but the process would have started
anyway. The infection also spreads to drives through which you are connected to
across your business network, such as shared drives on your server. This is
precisely why it is being called "The business killer". It does not only
encrypt the files on your local system, preventing you to use them in the
future, but also shared files often used company-wide on your server. 

The virus encrypts your
files with very strong encryption which cannot be reversed unless you you have
a special key. The creators of the virus hold the key and will not give you the
key unless you pay $300. This is why this virus is being called ransomware.

Any ICT expert worth his
salt would have come across similar threats and the first inclination would be
to remove the virus. There have been several reports in the local papers of
other viruses claiming that they are from the Malta Police force and that
attempt to pose as real ransomware. In this case, this virus is very different.
The virus itself is easy enough to remove, however, the encryption is simply
impossible to reverse without the key. The virus gives you a solution itself.
Pay the virus developers $300 and the encryption will be reversed and you will
have your files back. Of course, your ICT consultant and everyone else will
advise you not to pay these people, after all they are criminals. On the other
hand $300 is not a huge sum to pay to get back your entire company files.
Paying the virus creators does in fact solve the problem and once paid the
virus will decrypt all of them and remove itself.

Is there any other way to
decrypt your files ?

The short answer is a big
no. The virus uses 2048 Bit encryption which means that if you had to set up
your computer system to try every possible combination of keys it would take
6.4 Quadrillion years to try every combination which is 4,294,967,296 x 1.5
million years! So, we can safely assume that breaking the code is impossible.

Furthermore, the virus gives
you 72 hours before the developers delete the key at their end and every time
you try a key and it fails, it reduces the time remaining by half!

How are these people not
getting caught ?

This virus is very cleverly
made. At time of writing most of the anti virus programmes recognise this treat
as a virus, however, by the time they act the payload would have been
delivered. The virus installs a small programme that runs in the background and
performs the encryption mechanism.

It will probably be obvious
to the reader of this article that the way to apprehend these criminals is
through the payment system. In this case, these people are very clever and only
accept payment through Bitcoins (BTC). Bitcoins are a new virtual (Internet)
currency which allow users to remain completely anonymous. In fact Bitcoins
have been used to buy illegal or embarrassing products such as drugs, weapons
or sex services. Bitcoins are in fact not totally untraceable but if the
receiver is careful it can be very difficult if not impossible to track a
particular Bitcoin. Each coin is worth approximately $150.

In Malta this virus presents
a further problem because of the difficulty in buying Bitcoins. In other
European countries you can actually meet people in the park to buy your
Bitcoins. There are sites which list people who have Bitcoins available and who
are willing to sell them but they usually only accept payment in cash and
nothing else. It is also possible to find people who would accept other methods
of payment but usually this would mean that you would have to pay much more
then the usual cost per coin.

What should you do to
protect yourself ?

First of all, make sure you
have adequate backups. In this case backups which are accessible to users
through shared drives will be encrypted as well, so ensure that nobody except
the system and the administrator has access to backup drives. Furthermore,
offsite backups in the cloud which are becoming very popular are practically
useless in this case. These backups systems synchronise daily or even hourly so
they will have a copy of the encrypted file as well.

Anti virus solution creators
are working on detecting the virus and stopping it in it's tracks before it
releases the payload but reports from users on popular forums show that
detection is not amounting to prevention so far.

As the virus is delivered
through an email attachment in an email which will look like it came from the
same domain name, it is easy to open the attachment by mistake. In spite of
this it is still important to warn your employees not to open any attachments
that they are not expecting even if they look legitimate and if the are coming
from people within the same company.

Finally, if you realise that
you have been infected, immediately disconnect your computer from your network
and call ICT support.

Should you pay ?

If all fails and you end up
with your company data unusable, at the moment you have no other option but to
pay and pray that in the meantime, these crooks are still around to supply the
decryption keys. If your data is not important then simply re-format the PC and
start again.