Pinterest Stumbleupon Whatsapp
Ads by Google

Ransomware Don't Pay Up - How To Beat Ransomware! Don't Pay Up - How To Beat Ransomware! Just imagine if someone showed up on your doorstep and said, "Hey, there's mice in your house that you didn't know about. Give us $100 and we'll get rid of them." This is the Ransomware... Read More is an especially odious type of malware. The way it works is simple. Your computer will be infected with some malicious software. That software then renders your computer entirely unusable, sometimes purporting to be from local law enforcement and accusing you of committing a computer crime or viewing explicit pictures of children. It then demands monetary payment, either in the form of a ransom or a ‘fine’ before access to your computer is returned.

Horrible, isn’t it? Well, get ready to meet CryptoLocker; the evil patriarch of the Ransomware family.

What Is CryptoLocker

CryptoLocker is a piece of malware targeting computers running the Microsoft Windows operating system. It is typically spread as an email attachment, often purporting to be from a legitimate source (including Intuit and Companies House). Some say it is also being spread through the ZeuS botnet.

Once installed on your computer, it systematically encrypts all documents that are stored on your local computer, as well as ones that are stored on mapped network drives and mounted removable storage.

cryptolocker-example

The encryption used is strong, 2048 bit RSA, with the decryption key for your files being stored on a remote server. The odds of you being able to break this encryption is almost nonexistent. If you want to get your files back, CryptoLocker asks for you to fork over some cash; either two bitcoins What Can I Buy With Bitcoin? [MakeUseOf Explains] What Can I Buy With Bitcoin? [MakeUseOf Explains] If you’ve never heard of Bitcoin before, then don’t worry because you’re in the majority. Let’s just say that it’s a virtual currency (meaning you’ll never be able to hold an actual Bitcoin in your... Read More (At the time of writing, worth almost USD $380) or $300 in either MonkeyPak or Ukash prepaid cards. If you don’t pay within three days, the decryption key is deleted and you lose access to your files forever.

Ads by Google

I spoke to popular security expert and blogger Javvad Malik; this is what he had to say about CryptoLocker.

Ransomware such as CryptoLocker is not something very new – variations of Ransomware have been around for years. When you look at CryptoLocker, it predominantly comes in via phishing emails (from what I’ve seen). The best way to protect against it is for users to be vigilant against clicking on links within emails. Currently, it looks like there’s not much that can be done once infected and I wouldn’t advice anyone to pay the ransom. It goes back to having backups and data management in place.

Mitigating Against It

Reports suggest that some security programs have had a hard time of preventing CryptoLocker from getting its claws onto your system before it’s too late. Fortunately, American security expert Nick Shaw has created a handy piece of software called CryptoPrevent (free) . This applies a number of settings to your installation of Windows that prevents CryptoLocker from ever executing and has been proven to work in Windows XP and Windows 7 environments.

It’s also worth making sure that you check emails to see if they’re suspect before you open up any email attachments. Do they have an email address that matches up with the purported sender? Were you expecting any correspondence from them? Is the spelling and grammar consistent with what you’d expect from the genuine sender? These are all reasons to be suspicious of an email and to think twice about poking in any attachments.

Having Proper Backup

In these circumstances, I’d encourage everyone to make regular backups that are isolated from your computer. Using a networked backup solution will be utterly ineffective, as CryptoLocker has been known to encrypt data stored on these volumes.

cryptolocker-backup

If you use a cloud backup Read This Before Choosing An Online Backup Provider Read This Before Choosing An Online Backup Provider Backing up your files is a no-brainer - at least it should be. Hardware failure, security breaches, natural disasters, thieving scumbags and clumsiness can all lead to heart-in-mouth moments when you realise that your precious... Read More service like Carbonite, you can take comfort in knowing the odds are good that your files are versioned. That means if you back up an encrypted copy of a file you care about, you can revert to an earlier version. An employee of Carbonite posted this advice on Reddit.

I work for Carbonite on the operations team, and I can confirm this for most cases – I will also offer these two pieces of advice:

1) If you are affected by the virus, you should disable or uninstall Carbonite as soon as possible. If you stop backing up the files, it’s more likely that Carbonite will not have overwritten a “last known good” backup set. There is a high risk of some recent data loss (you’re effectively going back in time, so if we have no record of the file existing at a previous time, you won’t get it back) with this method, but it’s far, far better than losing all of your files.

2) When you call customer support, which you should do as soon as possible, specifically mention that you are infected with cryptolocker. It was mentioned in the post above, but I just wanted to put emphasis on it because it’ll get you through the queue faster.

Edit: also, just to state the obvious, make doubly sure the infection is off your machine before you call support, please.

Should You Pay The Ransom?

What if your computer gets compromised? It goes without saying that brute forcing a file encrypted with 2048 bit encryption is almost impossible. Noted computer security firm Sophos has looked at a number of files that have been encrypted by this particular malware and has failed to notice any obvious means in which they can be decrypted without forking over a ransom.

With that in mind, the only way to get your data back is by paying the ransom. However, this poses a major ethical dilemma. By paying the ransom, you make this type of chicanery profitable and therefore perpetuate it. However, if you don’t pay the ransom, you forever lose access to everything you’ve been working on which is stored on your computer.

What further complicates things is that it is impossible to ascertain who would be the recipient of any money paid. It may something so simple as a single person working from his bedroom looking to get rich at the expense at others, or it might be something much more sinister.

Conclusion

I’ll leave the floor to you, the reader. Would you pay the ransom? Have you been infected with CryptoLocker? Leave your thoughts in the comments box below.

Image Credits: jm3 acampos

  1. Rob
    March 13, 2014 at 7:57 pm

    So did they manage to find a solution in the end? :/

  2. Rich
    March 2, 2014 at 2:02 pm

    Oh yeah and this easy 123 plan should be free of charge, just to help out the community Right?

  3. Rich
    March 2, 2014 at 1:47 pm

    Ok Everyone and Matthew, lets get back to the basics. There is a great deal of information in these comments which when all added up together can become very confusing.

    So now I understand if use SkyDrive linked to you hard drive you can be effected, so this is really not an answer. Protecting you files is of the most importance in any situation so we need to know the best way to do that.

    Stopping the virus from getting in, in the first place would be best however that would be a perfect world. Forget it.

    Also if new viruses and Trojans are developed in the future Well Then He's Jonny I'm Home, Right?

    Many non technical average users find making all these back disk a real challenge and then to keep them updated WOW more trouble.

    In my personal opinion a removable flash drive out weighs all of it. True or False?

    I hear a lot of controversy on clouds, This Cloud, That Cloud, This Cloud, Which dammm Cloud.

    What about Norton off site Back up. Is that not safe either? Or is it? Should I Just keep my Norton running as usual and run Norton backup to retrieve my files as I have before.

    Is it possible to take all the information in everyone's comments and put it into an easy to read and to follow format. Like step 1,2,3 The Best of the Best iron clad and user friendly process.

    Please all you guru's out there should be able to come up with the most effect and easy to plan, considering the age of todays technology. No Pun intended, LMAO

    HEEEEEEEEEEEEEELP

  4. Scott T
    January 17, 2014 at 6:24 am

    I got this nasty piece of virus last week and I was freaked out because I had been working on a proposal that was not backed up any where. I had a rollback rx installed and i was really praying and hoping it would save me because after reading online about it I was really doubting anything would get my out of this mess. So i rolled back my pc to a earlier snapshot and closed my eyes and prayed some more LOL!! it actually worked. I was able to rollback to a earlier snapshot 2 hours earlier and I was virus free and my proposal I was working on was still there! So maybe some of you may want to check out rollback rx

  5. Jim
    November 27, 2013 at 5:45 pm

    Any 'mapped' UNC paths are susceptible to encryption so beware of that.

  6. Sean
    November 26, 2013 at 3:10 pm

    Can't anyway take any legal actions against the malware provider? Can't they track him by following the cash payment path or something?

  7. deth
    November 23, 2013 at 10:19 am

    i dont do emails ,if i never asked for it i delete it

  8. Michael B
    November 22, 2013 at 4:31 pm

    I back up everything on an external HDD, it I get a virus this bad (one I can not get rid of with the tools I have), I format my PC, reinstall win, then connect the external HDD and restore my stuff. If my PC has a virus, I do not back up anything or connect my external to the PC, I have a few back-ups (different drives, 4 of them for safty) I can choose from. this may be a bit much, but some things like pics (for example) can not be replaced. you can never be safe enough.

  9. john kabbi
    November 21, 2013 at 10:23 am

    increasingly ,surfing the web from a virtual machine makes more and more sense.

  10. Steve B
    November 14, 2013 at 9:54 pm

    What if you were to make backups by cloning your drive, to include OS. Then if your primary drive becomes infected, just power down, pop it out and pop in the clone. Power back up and erase/format infected drive.... (Unless crypto is able to spread to the cloned drive after power up).

    Once drives are infected, can Crypto "hide" out somewhere, even if pc is powered off and the drive replaced??? So that if I did replace the infected drive with the clone, is there a possibility of the clone being infected when pc is powered ups?

    Otherwise I can forsee that there may be a potential problem...knowing what caused the infection to begin with... if it resides on the backup (clone), you would sure want to identify it and delete it before accidently running it again.

    This might be a plan, maybe-maybe not. I've used this method for a couple of years and seems to make recovery pretty painless. Just say'in.

  11. simon
    November 14, 2013 at 2:47 am

    Been trying to think of a way to be secure in the setup... Could a network drive be made inaccessible to a particular user, and then make it so that unzip (executables, some executables?) only works with that user's credentials?

  12. trm96
    November 9, 2013 at 5:59 am

    I want a copy of CryptoLocker to play around with...

  13. Devta
    November 8, 2013 at 2:28 am

    What if you already encrypted your files using Truecrypt or something like it?

    I don't think it would create a double encryption, would it?

    • trm96
      November 9, 2013 at 6:32 am

      Why not? There is no reason why a file cannot be double encrypted.

  14. amy
    November 7, 2013 at 8:50 pm

    could somebody please help me? this thing is cureently on my laptop and im worried my photos of my kids etc will all be deleted. im not good with computers and now i have basically 24hrs to back my files up....somebody please advise me what to do. thankyou

  15. That Guy
    November 7, 2013 at 2:10 am

    Poor PC people. I used to have PC, but then I switched to Mac and have not experienced any major problems yet, if any exist. I used to download countless programs to try and fix Microsoft's shitty software but failed every time.

  16. bo
    November 6, 2013 at 4:37 am

    someone needs to find the guy who made this and beat the crap out of him

    • trm96
      November 9, 2013 at 6:02 am

      Or pick his brain... I find this whole CryptoLocker thing VERY interesting.

  17. Michelle C
    November 6, 2013 at 2:46 am

    We just got this at our office. An employee clicked on a link or attachment in an email and wham -- we lost her computer and our server. Thankfully, it did not backwards contaminate any other machines.

  18. mlndjk
    November 3, 2013 at 2:06 pm

    Tom, nov 3 2013:
    Thanks very much for your answer.
    What I did was:
    I write protected the files with the administrator password.
    Only reading / running the file is permitted, but whenever a user tries to rename it, he is prompted to enter the administrator password.
    What do you think, are these write protected files vulnerable to the virus?
    Any comments would be highly appreciated!

    Two other thoughts:
    1. Does running as User (instead of Administrator) protect me from infection? I mean, the virus / exe does have to be installed, right? So you need administrator priviliges to be able to install it?
    2. Doesn't the Firewall (e.g. Comodo) prevent the virus from connecting to the server of the perps? Thus preventing the sending of an encryption key?

  19. Bob R
    November 3, 2013 at 11:43 am

    I have had experience with this virus on a company employee's personal laptop. I had no success running my battery of tools that I possess in hopes to undo this virus. I was able to find all the registry keys, and location in the o.s., and remove everything, but you still wind up with all the data encrypted. This does not fix the problem. I had to reformat, and re-install the system as finding there was not too much value in data to be saved. I did not choose the ransom pmt. option that others may be forced to do.

  20. Claude
    November 2, 2013 at 8:50 pm

    What did you use to type your article, it looks like quite a bit of gibberish between some lines of truth. Is the latest in fashion or were you just in a hurry?

  21. mlndjk
    November 2, 2013 at 2:38 pm

    ALL my personal files are password protected.

    • Mark
      November 2, 2013 at 3:37 pm

      That seems a good idea to me! Any thoughts about this kind of protection?

    • Tom
      November 3, 2013 at 5:59 am

      Don't think it would help. The virus doesn't open the files, which would require the password. It just encrypts them. Think of it like this: Even if you give a file a password, you can still rename the file at a command prompt or in Explorer.

  22. Bill
    November 1, 2013 at 6:26 pm

    What about sniffing the network and logging all traffic for the last 7 days. Would it be possible to capture the encryption key as it's being sent? Why not customize a packet filter to capture and save any packets that look like encryption keys? I'm very familiar with sniffing, but unfortunately have no idea how you'd find the encryption key.

    I work in IT and just had a customer call that has this infection. It's probably too late for him, and I really hope he has a backup, as I would never encourage paying the ransom.

    And thanks for the info. I'll be looking at way to protect my customers who continue to slack on their backups.

  23. Zach L
    November 1, 2013 at 5:28 pm

    Also: in addition to battling with clueless, spam-sending relatives and friends, I own a WD "My Book" 3T harddrive for super-easy backup. I back up my files and email every week or so . Which reminds me, I should do that this weekend. They're inexpensive at approximately $100 more or less at this point.

    I'm old enough that idea of my stuff being backed up in "the cloud" does not appeal to me. ;) I like having the harddrive in hand.

    • Lawrence Abrams
      November 3, 2013 at 3:00 pm

      Having a connected external hard drive wont protect you against CryptoLocker. The files will still be accessible on the drive and this type of infection would just encrypt them.

      Backups to external drives do not help unless the drive is not mapped as a drive letter or the files are not directly accessible with standard extension names that CryptoLocker targets.

  24. Peter
    November 1, 2013 at 5:17 pm

    I lose stuff on Windows all the time. Sometimes, I'll just reinstall Windows to clean up the drive.

    Everything that I really need has no fewer than 3 backups, and beyond that, I don't back up any files or programs.

    I always figure if I want it bad enough, I will find a way to get it back and/or replicate it.

  25. Zach L
    November 1, 2013 at 5:13 pm

    I am forever yelling at friends & family who send "fun" links without bothering to personalize the message it's sent in. If you got an email that said, "This is my fav cat video!" with a link and nothing else (no name of the sender and not personalized with your name or any other info), would you click on that link to see the kitty? I got that email last week. Turned out it was legit, it really was her sending me her favorite cat link, but once again, I had to yell at the sender to STOP EMAILING ANONYMOUS LINKS! It's always the same half-dozen sweet-but-annoying people doing this.

  26. Mike
    November 1, 2013 at 2:07 pm

    My aunt's computer got infected with this Crypto ransomware so I did a restore, then did a restore My Documents folder. Everything looks normal and opens up fine. Looks like she got all her files working again.

  27. Todd H
    November 1, 2013 at 1:26 pm

    Seriously, call the NSA. they can get past any encryption. :)

  28. Mohamed
    November 1, 2013 at 11:49 am

    what about data recovery tools like "Recover My Files " ? does the virus remove the clusters that used to contain the old- non encrypted files ? did anyone try that ?

  29. Liz G
    November 1, 2013 at 5:41 am

    I got encrypted...bad...infiltrated my servier, my google drive and and my dropbox that was synced.. Good news purging was not necessarily a bad thing...it made me prioritize what I needed to recover. Luckily my husband copy of what I had shared with him survived...and alot of files were originally attachments to emails so just going back and redownloading emails helpled. For me...paying the money would have alleviated an ton of the head game that Im still sorting thru....and I remember the file that my intuition screamed about.. first do all you can to prevent...but then Im open to the idea that 300 is less than the headache and tech bills potentially incurred to trying to live without your files.. Just a perspective.. All the reviews say they are unlocking files once paid... although Honest Criminal doesn't ring right with me. RealizeU

  30. Shmuel M
    October 31, 2013 at 3:44 pm

    This proves what I have always suspected; or at least since the mid-eighties. STAY AWAY FROM MICROSOFT!!!

    • Lawrence Abrams
      November 3, 2013 at 3:00 pm

      This has nothing to do with Microsoft. This type of infection could easily be done on ANY operating system.

  31. Dean
    October 31, 2013 at 2:52 pm

    I would not pay the randsom. These people are dirt bags and there is not guarentee that you will get your files back after you pay. I run weekly backups and I am very careful about what I click on.

    • Matthew H
      October 31, 2013 at 8:24 pm

      Good point. I'll add that the only thing that is guaranteed to not return your files is doing nothing. Have good backup practices, otherwise your only option is to pay the ransom.

  32. wilbert
    October 31, 2013 at 5:55 am

    very informative/crypto prevent

    • Matthew H
      October 31, 2013 at 7:49 pm

      Thank you for the kind words!

  33. Todd
    October 31, 2013 at 12:48 am

    I don't think that anyone should give the "ethical concerns" a second thought. This is not the same dilemma as when terrorists demand a ransom from a nation state. Seriously, are you willing to sacrifice your data on some grand "policy" rationale that by giving money you theoretically increase the likelihood that a random stranger will face the same problem at some later date? The greater concern should be practical: By forking over 300 clams (or whatever that is in cyber funny money) to some creep in Russia, will your files truly be unencrypted and will the malware truly be eradicated from your machine.

    • Zach
      October 31, 2013 at 2:36 pm

      You're making a fairly big leap of faith that the same person who has no scruples about harming you (and anyone else) just for monetary gain will actually remove said malware once you hand over the cash.

      That's the same logic 419-scam victims use as they see their bank accounts emptied, dollar by dollar.

  34. Ididntneedthosefilesanyway
    October 31, 2013 at 12:47 am

    This is the easiest way to clean up your computer. Once it becomes inoperable, reinstall the OS!

    • Matthew H
      October 31, 2013 at 8:25 pm

      Agreed. Once infected, you can't really trust that machine any more.

    • Dave Leippe
      November 27, 2013 at 5:09 am

      Reinstalling the OS is not a solution, unless you wipe the drive in between. Formatting is not a solution unless you wipe the drive. Quick Formatting only marks a previous file table for deletion. Long Formatting only adds ChkDSK, that's it.

      Wipe it if you want to disinfect it.

  35. Mathew
    October 30, 2013 at 10:58 pm

    Our company got infected by Cryptolocker. There was no way I was going to pay the ransom. We run always on backups with Microsoft DPM and it only took 2 hours to restore approx 1TB of data to mulitple servers. Crysis averted.

    • Matthew H
      October 31, 2013 at 8:26 pm

      I'm glad to hear that! Did it affect any of your network drives?

  36. Larry C
    October 30, 2013 at 10:16 pm

    Seen lots of web pages saying my browser is outdated or media player is outdated or need some new codec, and this one which is not Java website; http://javeupdatecaa.com/download/chrome.php?dv1=glispa GmbH

    Any of these could be the culprit too.

    • Matthew H
      October 31, 2013 at 8:26 pm

      As I understand it, right now it's only being distributed by email and by ZeuS. I'm not aware of it being distributed in any other method.

  37. Paul
    October 30, 2013 at 9:53 pm

    I don't understand why no one is talking about taking out the perpetrators. If ransom is paid, then SOMEONE somewhere is reachable... and that person should be encrypted!

  38. Jo-anne P
    October 30, 2013 at 9:30 pm

    I personally would not pay the ransom and not because I am broke. I backup on a regular basis and never click attachments unless I am aware of the sender and am expecting an attachment. My sister clicks everything and it would be possible for her to be infected and send it to me.

    Horrible what people will do to make money and entertain themselves.

  39. Steve Rathbun
    October 30, 2013 at 9:25 pm

    I got hit with a ransomware acouple months ago.It showed up as a very official looking page saying I'd been viewing child porn. I don't view any porn,much less child. The end result was I'd have to pay a $300 USD fine to unlock my computer.
    I did a restore to put it before the advent of this,which worked for acouple days,then one day while emailing my girlfriend,the screen went totally white. I'd never seen this before.I know what blue screen is,but never heard of one going white. Fortunately my pc was still under warranty,so I sent it in for repair. The ransomware(I suspect)had done something to my hard drive,and it had to be replaced. Fortunately it was still under warranty and didn't cost me anything.
    I have no idea how this rode in.I never open unsolicited or unknown email,and as I said never watch porn,so it must have come in thru something else. The only attachments I open are from known sources,like my brother in San Francisco,or my girl friend who travels a lot,when they send me photos. It could have somehow latched onto one of them. My bro.doesnt use a pc-sends pix to my email via his smart phone,but my girl does use a pc,so it could have come in from her.
    End result was it destroyed my hard drive.Could have been very expensive if not for the warranty!
    Good article,MUO.Another big score for you!

  40. Notabrat25
    October 30, 2013 at 9:11 pm

    My law office was infected with this virus today....we paid the ransom because we have to...they caught us between a rock and a hard place needing to access our client files. I think we are lucky that the system is currently being restored and it is actually working but what a mess! It goes without saying the time/expense my boss is paying for us to deal with all of this (employees to be here without access to our files and IT support/assistance). She may be paying for her mistake in opening something she shouldn't have but it is too bad people create things like this to ruin other people's work. I hope they find the creator of this...

    • dragonmouth
      October 31, 2013 at 12:53 pm

      Sorry to hear about your problem. While paying the ransom may have solved your immediate problem of access to clients' files, what makes you sure that the problem is solved for the future? How do you know for sure that ALL the files were unencrypted and that the ransomware has been completely removed? Having found an easy target (your firm), the perps will try again and again. When was the last time you heard of a blackmailer being satisfied with only one payment? I hope your IT people are smart enough to rebuild your system from the ground up with as many precautions built in as possible instead of just restoring the files from a backup.

    • Peter
      November 4, 2013 at 6:12 pm

      @dragonmouth:

      Would it work to set a user to read only permissions for everything but their home directory?

      It doesn't seem to affect system files, because WIndows still has to run in order to decrypt it.

  41. Y.T.
    October 30, 2013 at 9:05 pm

    Your question requires the presumption that once you pay they will actually give you the key. The other problem is presuming that if they give you a key it doesn't leave you all nicely set up for it to reactivate for additional bribery.

    Regarding the comment below about your formatting. I too have received your email with the same odd additions to several words that are not present in the online version.

    • Matthew H
      October 31, 2013 at 8:27 pm

      Yeah, we're looking into the formatting issues.

      Honestly, I'd just decrypt all the files, copy them onto an external medium and rebuild your machine. Once it has been infected, you can't vouch for its security.

  42. Egbule D
    October 30, 2013 at 8:50 pm

    Thats a really nasty piece of virus.

  43. Thorne
    October 30, 2013 at 8:39 pm

    I would think that if you were to use common sense security measures and NOT open attachments, zip, or .exe files from unknown sources that you data would remain safe. People fall for scams of all sorts all the time, the key here is to stay frosty. I get Phishing e-mails allegedly from my bank always saying something stupid like my account has been compromised and that I need to go follow a link provided and re activate my account with new information, I assure you this does not happen ever and your bank would either contact you by snail mail or by phone and instruct you to go to your branch to do something like that. ( this way your sure it's the bank requesting this and they are sure your you) Yet thousands of people get scammed every year into giving criminals access to their banking information. Being cautious and being weak are NOT the same thing, you are responsible to protect yourself from these predators.

    • Jo-anne P
      October 30, 2013 at 9:31 pm

      I get them daily from RBC whom I don't bank at and Paypal lol. Ya i will get right on that click click lol hardly.

    • Caroline W
      November 11, 2013 at 10:25 pm

      Yeah, me too; I get all sorts of dumb emails coming in about a 'Problem Delivery from a Parcel Service' an 'IRS Payment glitch', other stupid emails from Foriegn people I've never heard of. And all have either links or attachments contained in them. I just click 'Delete' as soon as I see one. The latest one was about some 'Administrator' inviting me to join some Forum I have never heard of = 'Delete'.

  44. joebanana
    October 30, 2013 at 8:18 pm

    I never put anything on a computer I can't replace. Things like photos and music I copy to a DVD immediately. I got the FBI ransomware once. Just wiped the drive, and reinstalled Windows and no worries. You can try the "safe mode with networking" and try downloading "Combofix", I've heard that works. Malwarebytes is also a good one.

    • Matthew H
      November 30, 2013 at 12:03 am

      Good to know! Thanks Joe!

  45. Brent
    October 30, 2013 at 7:49 pm

    I'm running both WebRoot and Windows Defender on my Windows 8. Hopefully, that's enough. If ever I did get one of these bugs, I would - and this would suck for my wallet - pay for an entirely new Windows OS, wipe drive clean, then install. "It's the only way to be sure." - Line from Aliens II.

    • Col_Panek
      November 2, 2013 at 2:27 pm

      Keep an install DVD of Ubuntu handy. That would eliminate a recurrence, besides being free.

    • Matthew H
      November 30, 2013 at 12:02 am

      Sadly, I think it's quite possible for Cryptolocker to bypass common antivirus products. That's part of what makes it so nasty.

  46. Bill
    October 30, 2013 at 7:32 pm

    Got it last Friday so it had all day Saturday to work over my files. (employee opened an email attachment) Didn't pay. My trend-micro removed the virus overnight, but couldn't restore files. I have read that if the virus is removed chance of restoring even if you pay for the key is substantially reduced. Backup was encrypted too. My MIS contractor was able to restore 90% of the files from a shadow copy. Still it was a big hit and I haven't got the bill from the contractor yet. The government needs to sic the NSA on these folks.

    • dragonmouth
      October 31, 2013 at 12:57 pm

      "The government needs to sic the NSA on these folks."

      Actually, someone should sic those guys on the NSA. LOL

    • Bill
      October 31, 2013 at 3:43 pm

      Thanks dragonmouth. I expect your suggestion is better. For whatever it's worth, if you a small business and do have to hire a professional to restore your documents from a backup as I did, you should contact your insurance company and make a claim. I purchased a "valuable papers" rider with my coverage. It was less that $50 a year extra and it looks like they are going to cover the cost of paying someone to restore the backup from a shadow copy. Also, it did not encrypt anything in exchange. So if you have copies of documents that you emailed to someone using outlook and exchange you can retrieve them by going through your emails and archives. Tedious, but beats the heck out of retyping a 20 page document.

    • Matthew H
      November 29, 2013 at 11:59 pm

      Damn. That's unfortunate. How much did it end up costing you in the end?

  47. Blessings4all
    October 30, 2013 at 7:23 pm

    I would like to see the preps tracked downed and ransomed themselves. Any ideas on how and who could do this. The solution is to forcefully take it back to the source.

    • dragonmouth
      October 31, 2013 at 1:04 pm

      The problem is that it is very hard, if not impossible to find the source. I would not be surprised if the source turned out to be a zombie PC or a whole series op them.

      Ransom is no punishment. If and when apprehended, the perps should be securely staked out over a fire ant hill for a significant period of time.

  48. bradjones
    October 30, 2013 at 7:04 pm

    I paid and it uncrytpted everything for a couple of hours then they infected most of my computers in my domain. Even when they say the have uninstalled the trojan once you run a program like maleware bytes it shows that you computer is infested with all kinds of bots.

    • Matthew H
      November 29, 2013 at 11:58 pm

      That's crazy. Did the other computers have mounted drives that are accessible from the originally infected machine?

  49. Aaron Barwick
    October 30, 2013 at 6:03 pm

    I know a lady who got ransomware and she used Norton Power Eraser to get rid of it.

    • Matthew H
      October 31, 2013 at 2:05 pm

      Whilst it's fairly easy to remove CryptoLocker, doing so doesn't decrypt your files. Nasty, isn't it?

  50. Pope Dominic
    October 30, 2013 at 5:31 pm

    I wouldn't pay 'em under any circumstances. It's precisely the same as giving ransom's to terrorists-it encourages them.

    Whatever the loss to yourself, the damage to the greater society is worse.

    Don't pay 'em. Lose the data.

    brendan

    • Matthew H
      October 31, 2013 at 2:05 pm

      Agreed. The only way people will stop making ransomware is if it suddenly stopped being profitable. Then, there would be no motivation to make it!

    • Caroline W
      November 11, 2013 at 10:14 pm

      Hear-Hear :)

  51. Chuck Aylworth
    October 30, 2013 at 5:18 pm

    For perspective on bitcoin, Cryptolocker, MOOGland and Chinese "bit farmers" (not to mention crazy Idaho survivalist families) I highly recommend Neil Stephenson's book "Reamde". You won't be sorry, if you like science fiction.

    • Matthew H
      October 30, 2013 at 8:46 pm

      Funnily enough, you're the second person in as many days to recommend that book to me. I must check it out. Cheers!

  52. Terry Straehley
    October 30, 2013 at 5:18 pm

    When I click on the CryptoPrevent link in this message I get a "Halt - Do you want to go there?" message from Mcafee. Is there a reason why McAfee has blacklisted that site. I'm a little concerned about downloading software from a site in that status.

    • dragonmouth
      October 31, 2013 at 1:07 pm

      Maybe your McAfee has been compromised?

    • Matthew H
      October 31, 2013 at 2:04 pm

      That's strange. By all accounts, CryptoPrevent is a legitimate product. Perhaps it's something weird on McAfee's end?

  53. Peter H
    October 30, 2013 at 5:17 pm

    My daughter's computer was "infected" with ransomware from The CyberCrime Division of The Internet Police. This one wouldn't even let the pc boot even in safe mode. Through googling, I found a reference to this on a site, <> which offers a free utility called HitMan.Alert2. Checked out SurfRight and seems okay (I'm always suspicious). HitMan.Alert2 boots from a USB stick/key before Windows and disables the rootkit as well as cleans out the registry keys and .dll files. It worked for us.

    Subsequent checking with Malware Bytes (free but I love it and made a donation), SpyBot Search and Destroy (used it since WinDos). I also use a Mozilla add-on calls KeyScrambler from QFX.

    But I have used ESET Nod32 for maybe 10 years, now on ESET Internet Security and it has saved me from a number of legitimate websites which tried to install malware. I think it is cheap and it is always in the top of a number of independent tests annually. If you install it, you'll get a cheap annual upgrade rate. You can put it on 3 machines and it also has a Mac version. It integrates into FireFox and Flock and IE for those who like Bing (I don't understand this trapware).

    Finally, I recommended RevoUnistaller Pro which lists all the stuff running at anytime on your machine, closes boot up things you don't need, a number of other helpful screens and it's uninstal program not only removes the program files but all references to the program. Adobe is the worst, sometimes with thousands of references and files. I love it and pay for it.

    This is just my opinion and experience from 30 years of computing and maintenance of machines (I'm not IT).

    • Matthew H
      November 29, 2013 at 11:57 pm

      Woah. That's trippy. "The CyberCrime Division of The Internet Police"

      That'd be almost farcical, if it wasn't such an irritant to good people like yourself. Did you clean up your PC in the end?

  54. Lori
    October 30, 2013 at 4:46 pm

    I'm wondering if cloud systems like Dropbox are a safe backup or if they fall into that "networked backup" category. Does anyone know?

    • Rick
      October 30, 2013 at 5:34 pm

      Since Dropbox uses a copy folder on the PC, it would get encrypted, then Dropbox would update the server's copy. Boom.

    • Lori
      October 30, 2013 at 5:55 pm

      Ugh. That was what I suspected. :-(

    • Matthew H
      October 30, 2013 at 8:47 pm

      An addendum to this: Dropbox has versioning, so you *might* be able to revert to an earlier version of the file if it gets compromised.

      No promises though.

    • dragonmouth
      October 31, 2013 at 1:21 pm

      The only "safe" backup is to your own separate, removable HD.

      Recently MUO had an article about security blogs. Please read the article and read the articles that the blogs have about the security of cloud storage. Very eye-opening and educational. Bottom line is that cloud storage is no safer than local storage, no matter what the cloud storage providers advertise.

      Cloud storage is no solution because the files still can be held for ransom. Not because of malware but because of corporate policy changes, changes in corporate ownership or storage providers going out of business.

    • Shmuel M
      October 31, 2013 at 3:48 pm

      I did gain from your post, but most of all I did appreciate the word "Disneyfication." That pretty much sums up MS in a nutshell!

  55. Adrian B
    October 30, 2013 at 4:29 pm

    I think my one word answer sorts it out. Linux.

    • Peter H
      October 30, 2013 at 5:24 pm

      I've used computers since the days of mainframes and punch cards. I've got 30+ years as an avid pc user before anyone wanted them (afraid to lose their "creativity"). Learned programming enough to make a Dos menu, basic Basic and so on. But I've had no end of trouble with command line Linux. Like wipe-cleaned hds on an infected machine. Luckily there were backups from Acronis. I have no interest in going "back" to learn another program especially in view of the rapid command changes in and Disneyfication of Vista, Win 7+ as well as MS Word since 2003. It's getting hard to be productive again without having to buy the Missing Manual to discover what things are now called and where they are because MS no longer documents their programs. I'd hate to have to teach my co-workers and friends again and tell them what they no longer know. MS is an ageist company despite their sop to accessibility.

    • Col_Panek
      November 2, 2013 at 2:19 pm

      I started out punching cards myself. But I got fully into Linux only a couple years ago and found out that there's a lot of Windows-like GUI clickyness about it, in addition to the command line which is usually faster. Take your pick.

      My granddaughters run Bodhi. It's easier, and a LOT safer, than running Windows. There are 300 other Linux distros besides Ubuntu. I like Mint (of course, they're both Ubuntu derivatives). Zorin might be better for those who just can't tear themselves away from the familiarity of Windows.

    • Matthew H
      November 29, 2013 at 11:56 pm

      Well, yes. Although, I'd like to see Microsoft put more effort into hardening their OS to prevent things like this happening ever again!

  56. Sture E
    October 30, 2013 at 4:25 pm

    What if I Open mail in f.e. IPad? Will I be safe then? Cryptolock only Works in Win?

    • Matthew H
      October 30, 2013 at 8:45 pm

      That's correct. CryptoLocker only targets Windows machines, and since your iPad runs iOS, you should be safe.

      With that said, it's good practice to not open suspect attachments, regardless of what device you're using.

  57. Larry C
    October 30, 2013 at 4:20 pm

    If you pay there is nothing to stop them from asking for more money and more money. They will have you hooked like a sucker.

    I need a backup program that will shrink most of my movies.

    • Caroline W
      November 11, 2013 at 10:01 pm

      I was thinking the same thing Larry. If they have done it once and you paid, then surely they would carry on targeting you for more cash.

      I'm no expert on this, but maybe it's possible to compress your vids into zipped files? Someone else would need to verify this for you :)

    • Matthew H
      November 29, 2013 at 11:55 pm

      You're quite right. Sadly, it seems like the hold all the cards in this respect. Unless you pay up, you're not going to get your files back.

  58. uncle4257
    October 30, 2013 at 3:44 pm

    With all the liberals in the world and techie giants, who have money, no one is willing to just Jail or assonate these bastard pseudo geniuses.
    End of problem !
    Of course unless you're envious/jealous of their smarts and want to perpetuate the madness, so you can stay employed?
    Evil is Evil, no matter how you sugar-coat it!

    • C Weir
      November 20, 2013 at 4:36 pm

      I shouldn't feed a troll, but how on earth do you manage to bring liberals into this? I know it must be heard with a pea sized brain to contemplate this, but these criminals operate beyond borders. No single country has jurisdiction to just, off the bat, go to assassinate (see that correct spelling!) these people.

      The people, when found, will face justice, and as a liberal, I would support that. But to kill them for it? A tad severe, no? But the trouble is, it's not so easy to find these people. Blaming liberals for this and the lack of finding them, and insinuating that it's because we are envious of their intelligence, is absolute nonsense - throw away that tin foil hat of yours!

      How about you find them?! I suppose you think it's so easy, since us liberals are to blame for inaction.

      Just accept that although, as you infer, we are on average more intelligent, we still have our limits. And in addition this liberal, as I suspect most are, have just as much contempt for Cryptolocker and it's maker(s). No-one's endorsing it, or saying it's a work of art and that it's not evil - again, put that tin foil hat away, you special person you!

  59. Ricky
    October 30, 2013 at 3:21 pm

    Pay the ransom, and then after your files have been decrypted, call your bank and tell them there was unauthorized activity on your account. If you have a good bank, you'll get your money back.

    Then Google "sandboxie" for a way to isolate a virus so it doesn't infect your entire system when you accidentally download it.

    • Matthew H
      October 30, 2013 at 8:44 pm

      Sadly, you don't pay the ransom with a bank transfer, but rather with bitcoin and prepaid cash transfers. Both of these methods are nigh on impossible to reverse.

      I'll look into Sandboxie. Cheers.

    • Michael Dowling
      October 30, 2013 at 9:11 pm

      I've used Sandboxie for ages,and can't remember the last time I got infected with anything.

    • Caroline W
      November 11, 2013 at 9:56 pm

      @Ricky. Is Sandboxie a way to download and run exe - or any unknown source file - inside it so it protects your machine detecting anything unruly safely?

      Thanks in advance :)

  60. rally2xs
    October 30, 2013 at 2:57 pm

    The defense seems simple enough. Back up your computer. My NovaStor backup saves its store as a file with an extension .nbd. That is not on the list of things that get encrypted. If worried about it, you could manually change the extension of the backup file to something like .sys, which the crypto program cannot go encrypting willy-nilly and expect the computer to continue to run. Or, you can back up to external drives, and then turn them off.

    • Matthew H
      October 30, 2013 at 8:51 pm

      That's a good shout! There are a bunch of ways in which you can mitigate against this awful malware, and that's one of them! Cheers!

  61. Jeff R
    October 30, 2013 at 2:48 pm

    Does each file get a different 2048 bit key? If not I think it would be easier to break the encryption if you know the content of one or more encrypted file? I certainly could not do it, but perhaps someone could supply such a program

    • Lawrence Abrams
      October 30, 2013 at 3:33 pm

      Only the malware developers know the private key, which is stored on the C2 server.

  62. Don
    October 30, 2013 at 2:44 pm

    I had the same situation on one of my client workstations. If you have windows 7 or 8 and professional version or higher, you can hopefully exploit the volume shadow service that runs by default on those pc’s. Download the free utility Shadow Explorer at shadowexplorer.com and export your lost files from a timestamp that’s before the encryption. This worked for me.

    • Matthew H
      November 29, 2013 at 11:53 pm

      That's really useful. How did you get the files off your workstation without them being encrypted?

    • Don
      November 30, 2013 at 12:23 am

      I downloaded the ms security essentials offline version and created the bootable cd which allowed me to remove crypto locker. Then booted back into the OS and proceeded with the above.

  63. Scott M 2
    October 30, 2013 at 2:32 pm

    What's wrong Matthew H.? Can't take that someone has a solution to the problem by deleting my previous comment? Thanks for perpetuating the myth that the ransom needs to be paid.

    • Matthew H
      October 30, 2013 at 8:35 pm

      Hi Scott,

      I didn't delete your comment. I actually don't have any control over that aspect of the site's functionality. Some comments are manually verified, but that has nothing to do with me.

      Furthermore, your original comment is available to view at the time of writing. I presume this is the one?

      "If anyone gets it and wants to get rid of it, start here: http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
      There are some good links to other resources as well."

      Cheers,
      Matt

    • Matthew H
      November 29, 2013 at 11:52 pm

      Handy video. Cheers!

  64. Hoosie Daddy
    October 30, 2013 at 1:48 pm

    Can't you just recover your files via a Freedom of Information Act request to the NSA?

    • dave
      October 30, 2013 at 2:03 pm

      you just gave me my first laugh of the day and it's only 10 am
      i think you're on to something
      maybe the most secure cloud solution in the world will be NSA
      you're brilliant

    • Matthew H
      October 30, 2013 at 8:39 pm

      Okay, that made me laugh pretty hard.

  65. Scott M 2
    October 30, 2013 at 1:39 pm

    If anyone gets it and wants to get rid of it, start here: http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

    There are some good links to other resources as well.

    • Matthew H
      October 30, 2013 at 8:38 pm

      Brilliant, although this only removes the malware. It doesn't decrypt the files that CryptoLocker gets its grubby hands on. For that, you'll either have to revert to an earlier backup, or pay the ransom.

  66. Jo K.
    October 30, 2013 at 12:34 pm

    Matthew I lost 2 years worth of data, countless pictures, files etc. Most I have backed up somewhere I think but it was very frustrating and painful. Sick thing was I stupidly stored all my passwords on a note card right on the desktop. I won't do that again.

    Cortman I don't think Star Wars The Old Republic is compatible with Linux. And I have to have some form of relaxation after a rough day at the clinic.

    • Matthew H
      October 30, 2013 at 12:42 pm

      That's really sad. I'm sorry!

      With regards to password management, have you considered looking into Lastpass?

    • Caroline W
      November 11, 2013 at 9:49 pm

      'LastPass' - A Big Definitely for sure, 100%

    • Bill
      April 1, 2014 at 4:08 pm

      You could try running windoze on virtualbox in linux.

  67. Cortman
    October 30, 2013 at 12:28 pm

    Use Linux. :)
    That, and keep a backup on a non-connected external HDD. If you have that, you can thoroughly wipe and reinstall and be none the worse for the experience/

    • Matthew H
      October 30, 2013 at 12:44 pm

      Both good pieces of advice! Cheers!

  68. Jo K.
    October 30, 2013 at 12:18 pm

    Been there done that. I elected to wipe my computer completely and not open any emails anymore in addition to banning my minor from it permanently. This one sucks!

    • Matthew H
      October 30, 2013 at 12:29 pm

      It's pretty evil, I'm not going to lie. I'm sorry you had to deal with CryptoLocker. Did you lose much?

  69. Pablo
    October 30, 2013 at 12:04 pm

    I wonder, USA, that has the technological power to send a virus to the computers of Iran's nuclear centers or spy cell phones presidents, can not locate the recipient of an account MonkeyPack or Ukash? Or else .... this type of attack are NSA practices and we the guinea pigs ...

    • Matthew H
      October 30, 2013 at 12:30 pm

      I'm not sure! Bitcoin is pretty untraceable though. That's a feature by design.

  70. dave
    October 30, 2013 at 12:02 pm

    Really good article, Matt.
    Thanks.

    Being totally paranoid, I use VMWare to run another copy of Windows. I do all my coding on the virtual machine. (Since my virtual machine is just another file, If my virtual machine is toasted, I simply delete the corrupted file and copy a new one.) My source code is kept in a folder, on the virtual machine, encrypted by TrueCrypt. When I'm done for the day. I close the TrueCrypt volume, copy it to two external hard drives. I keep one external drive with my computer and the other elsewhere. I also, only read emails and surf from the virtual machine. I do almost nothing on the physical machine.

    • Matthew H
      October 30, 2013 at 12:06 pm

      That's a really robust strategy! You mentioned you keep an offsite backup. Where do you store it?

  71. Millerpr
    October 30, 2013 at 11:42 am

    Merkel's phone can be hacked but the money trail here cannot be traced?

    • Matthew H
      October 30, 2013 at 11:56 am

      Bitcoin is pretty hard to track by design. It's entirely anonymous. It'll be pretty hard to track the money trail, unfortunately.

    • Zero
      October 31, 2013 at 2:49 am

      Take down the server that used to store the encryption keys. Is that also impossible to do for the people hacked Merkel’s phone? And track who is maintaining it.

  72. Jonen560ti
    October 30, 2013 at 10:23 am

    hold on a second. in simple terms, encryption is the same as converting digital information into something only you understand, kind of like making up your own language. then it should be possible to encrypt something twice. imagine some very simple encryption like just reversing the information like piece of text that said "hello world!" would turn into "!dlrow olleh" and if you then encrypt it by turning the letters into specified numbers, you would have to decrypt it twice.

    so if the cryptolocker encrypted an encrypted file, that file would have been lost anyway. so encrypting your documents wont save them from cryptolocker or am i completely wrong. i just dont see how encrypting information protects them from encryption. that is unless it looks for certain filetypes of course, if it wildly encrypted everything it had access too, it could corrupt the machine and then the people behind the software would never get ransom in the first place.

    point is, some people claim encrypting your files protects them from cryptolocker, but i dont see how that makes them immune from further encryption.

    • Matthew H
      October 30, 2013 at 11:55 am

      As far as I understand it, CryptoLocker looks for certain file extensions.

    • Lawrence Abrams
      October 30, 2013 at 3:31 pm

      Actually what would happen is that CryptoLocker would encrypt the encrypted file. The infection does not care about what the contents of the file are. All it cares about is the extension.

      If it detects a particular file extension, and the infected user has write perms, it encrypts it. Simple as that.

  73. Clumpton
    October 30, 2013 at 8:05 am

    A viable cryptolocker-resistant network backup is to use a shared volume which is only write-accessible by a specific account. You run your backup service (and only your backup service) under this account.

    • Matthew H
      October 30, 2013 at 9:08 am

      Interesting! Thanks for the advice! Thats really helpful.

  74. Ayin
    October 30, 2013 at 7:39 am

    Luckily for me I do not have anything on my computer that I could not replace so I would certainly not pay any ransom demand I would simply go without a computer first.

    • Matthew H
      October 30, 2013 at 9:07 am

      For sure! If you can go without your files, you'd be well advised to reinstall your entire OS.

  75. zastroph
    October 30, 2013 at 6:56 am

    These criminals should be tracked down and charged to the full extent of the law (extortion is a crime)! As for would I pay, NO, and the only things I would lose would be code, but if I lose these, I always write it better when I rewrite so no real loss except the time taken to replace them!

    • Matthew H
      October 30, 2013 at 9:05 am

      Cheats never prosper, as my mum always says!

    • Daniel
      December 2, 2013 at 3:41 pm

      I agree with the point above.

      I think U.S. Governmental Agencies should co-operate with white-hack hackers in order to physically catch hackers like the CryptoLocker gang and charge them as the extortionist ransoming malicious thieves they are.

      Honestly, the hackers are making the government of the U.S. look pitifully outsmarted, meaning unless they're caught, lots more people are going to become hackers in the coming future.

  76. Herbie
    October 30, 2013 at 6:21 am

    I suggest making your backups on DVD discs, if you can fit them. Once the session is closed it can't be messed up.
    BTW, was that UTube link a test to see who would click on it after reading the article?

    • Matthew H
      October 30, 2013 at 9:04 am

      Sage advice, although for large files I'd encourage you to use versioned, off site backups!

  77. Joe Perone
    October 30, 2013 at 4:07 am

    I am amazed that all these new articles fail to mention the two sites who have been working on this malware from the beginning. Emsisoft analyzed this way before anyone else did:

    http://www.kernelmode.info/forum/viewtopic.php?p=20765#p20765

    Bleeping computer has been helping everyone since early Sept here:

    http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

    and

    http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/

    Everyone else is simply regurgitating everything they discovered and have been helping people with for almost two months.

    • Matthew H
      October 30, 2013 at 12:02 pm

      Thanks for the links. Much appreciated. The original researchers did some incredible work in the public interest. It's really commendable.

  78. m1
    October 30, 2013 at 4:03 am

    I don't negotiate with terrorist! I'd rather do a fresh install & lose everything! !!!......besides, I backup everything anyways.

    • Matthew H
      October 30, 2013 at 12:00 pm

      I like your attitude! :)

  79. Larry Clemons
    October 30, 2013 at 1:47 am

    I have a question for the tech types reading this. If someone used a router where the BIOS had been flashed with a Linux derivative, would the network attached storage be safe from infection?

    • Matthew H
      October 30, 2013 at 11:58 am

      if the NAS was using a file system that can be addressed by a Windows system (FAT or NTFS) and an infected computer can address it, then yes. I doubt the router would have anything to do with it.

    • Lawrence Abrams
      October 30, 2013 at 3:28 pm

      Only if the NAS was mapped as a drive letter on the infected computer will CryptoLocker scan it.

  80. Jessica D
    October 30, 2013 at 1:24 am

    My aunt had this and after I tried so many things to get rid of it, the thing that worked was a system restore. It has not reappeared since.

    • Matthew H
      October 30, 2013 at 9:03 am

      I'm glad to hear about that!

  81. Justin P
    October 30, 2013 at 1:04 am

    This is freaking nasty. Glad I don't work in IT anymore...

    • Matthew H
      October 30, 2013 at 9:01 am

      Me too man. Me too.

    • Caroline W
      November 11, 2013 at 9:42 pm

      Indeed and It's scary as heck

  82. Brianna
    October 30, 2013 at 12:54 am

    My computer at work got infected and it completely took over the shared drive so none of us can access. We ended up having to pay the ransom - takes 2 business days for payment to clear. I need to know if it affects phones - my phone has been acting weird lately and I did hook it up to my computer.

    • Matthew H
      October 30, 2013 at 11:54 am

      I'm sorry that happened. :( I don't think it affects phones, but if you can mount your phone as external storage and you've got certain files on there, it's entirely possible for it to effect your device.

      How did you pay the ransom?

  83. snivelB
    October 30, 2013 at 12:33 am

    I had one of those dumb cryptolock deals infect my laptop. let my girl mess with it for a night and the next day it was fixed. everything was good to go with no loss of anything... now I'm wondering what all she can do on a computer.

    • Matthew H
      October 30, 2013 at 9:02 am

      Sounds like your girlfriend is rather kind indeed, as from what I've heard the only way to defeat CryptoLocker is to pay the ransom!

  84. Marc G
    October 29, 2013 at 11:14 pm

    Who are these people who create such destroying software? They
    really don't care about other's belongings. I'll be extra careful. On
    my external HDD is practically my whole life, losing this would be fatal
    for me. But what kind of ransom is that to demand BitCoins, Monkey Pay or
    Ukash? I even don't know what the latter two are! I'm nothing but horrified
    about this!

    • Matthew H
      October 29, 2013 at 11:20 pm

      MoneyPak and Ukash are a US and UK thing respectfully. If you're in Germany (I assume you are based upon your email address), you'd be forced into using bitcoins.

      With that in mind, the motivations behind the people who make this trash is obvious. It's money. Money, money and more money.

      How they can sleep at night is another question.

  85. Andrea
    October 29, 2013 at 11:12 pm

    What makes me wonder is how it's possible, nowadays, to pay someone without leaving any trace of who's the recipient.

    • Matthew H
      October 29, 2013 at 11:16 pm

      Simple, really. Bitcoin is untraceable by design. Some prepaid cards like uKash are hard to track too.

    • Andrea
      October 30, 2013 at 2:10 pm

      Yes, my point is that we shouldn't complain too much, if we (widely meant) allow that.

      In my country it would be really hard to do something like that.
      There is no way to buy anything that involves money (from prepaid cards, to mobile SIM), without providing at least some kind of identification document.

      And, even though I think I've used something like money transfer services only once in my life, a lot of years ago, I might be wrong, but I must provide the ID also to withdraw money from this kind of channels.

      And that's good, from my point of view: this should happen everywhere in the world, but I know I'm simply dreaming :)

    • TechnoAngina
      October 30, 2013 at 3:05 pm

      Bitcoin is most certainly not untraceable. It's just hard to track, but governments have pretty much cracked the anonymity of it in multiple cases. They use the public string that everyone has access to. Make no mistake the proprietors of this are almost certainly on someone's radar.

  86. Joe
    October 29, 2013 at 10:47 pm

    There is one rule that has been around since the first virus was spread across the Internet a couple of decades ago. Don't run executable programs from the Internet unless you get them directly from the source or trusted mirror sites. Sheesh! It's like giving the Gremlins food after midnight for Pete's sake. Just follow the rules people.

    • Daniel E
      October 30, 2013 at 3:03 am

      Update the rule to “Don't click on a suspicious link.” I should be able to write an entire short blog post on that, which would entail checking the padlock icon for purported https sites, looking more closely at the URL, etc.

    • Matthew H
      October 30, 2013 at 9:01 am

      Exactly. Although, from what I've heard the social aspect of the attach is quite effective!

    • Hugh
      October 30, 2013 at 10:38 am

      Those most at risk are families. The kids are now quite computer literate, but also quite computer niave/immature. They'll happily click on these suspicious links. So the advice "don't click on external links" doesn't really help.

      So, the question evolves to: how as the manager of the family's machines do I protect the family and our resources (other than the obvious of keeping a virus scanner up to date)?

      If the isolated backup is reconnected/connected to an infected machine during the backup process, will it not also be compromised?

    • Peter
      October 30, 2013 at 2:26 pm

      @Hugh: Set up a file watcher to look at a text file at C:~0A~ (so it is first alphabetically).

      Put some text in it, then never change it. Ever.

      If the file watcher detects changes to it, have it eject all network drives.

      Unfortunately, I only know how to do this in Linux, which is pretty useless since the virus does not affect Linux.

    • Noiseboy
      October 31, 2013 at 2:57 pm

      It CAN affect Macs. I had a client less than a week ago who had the CryptoLocker virus infect her Windows XP installation. Trouble was she was running it virtualized through Parallels Desktop on her iMac. She also had the access Mac home folder from Windows enabled in Parallels. As a result every single one of her pdf, eps, jpeg and Office documents on the Mac partition were hosed. Naturally it took out the same file types in Windows but there weren't many of those. Most of her work was on the Mac.

  87. Anonymous
    October 29, 2013 at 10:47 pm

    I still use external drives to back up. I do not test the cloud

    • Matthew H
      October 29, 2013 at 11:15 pm

      If your computer can mount it and address it, then Cryptolocker can effect it. I'd be interested in researching some Cryptolocker resistant backup solutions.

    • Joe
      October 30, 2013 at 12:49 am

      Since it doesn't affect Macs I am currently immune. However, I do run the Time Machine backup software to a wireless external hard drive. I wonder if it could access it if Macs were targeted (not that I'd run a program downloaded from the Internet in the first place.)

  88. Allan
    October 29, 2013 at 10:38 pm

    Would it also affect a dual boot system Ubuntu/Windows XP?

    • Jason
      October 29, 2013 at 11:00 pm

      "CryptoLocker is a piece of malware targeting computers running the Microsoft Windows operating system."

      So, if the drive is readable by Windows (e.g., it's FAT-formatted, or ext filesystem drivers are installed, or you're using Wubi), your Ubuntu system will be hosed if Windows is infected. Ubuntu will not be infected.

      If Ubuntu is on a separate, ext4 (the default) partition, and Windows can't read it, your Ubuntu will be safe.

    • Matthew H
      October 29, 2013 at 11:14 pm

      It would effect anything on the Windows XP partition. Not on the Ubuntu one, however.

    • Lawrence Abrams
      October 30, 2013 at 3:25 pm

      CryptoLocker ONLY encrypts drive letters that are returned via the GetLogicalDrives function. If your ubuntu partition is mapped as a drive letter it will be scanned for files types that CryptoLocker likes to encrypt. If its not mapped, then you have nothing to worry about.

  89. Ashley Cardwell
    October 29, 2013 at 10:36 pm

    There have been a few reports that paying the ransom actually works. Although it can take more than two weeks for the program to start reversing its actions.

    Even though I personally wouldn't suggest paying, it is somewhat relieving to know that if you have money to dispose of, you can get your files back.

    • Matthew H
      October 30, 2013 at 9:00 am

      Exactly. I'm curious, where did you get the few weeks figure from? I didn't come across it whilst researching this article.

  90. Jenny R
    October 29, 2013 at 9:18 pm

    Do you know of anyone who has paid the ransom and gotten their stuff back?

    • Matthew H
      October 29, 2013 at 9:21 pm

      I don't have any first-hand knowledge of it happening, but reports from other technology websites (Register, Sophos) suggest that paying the ransom works.

      However, that in itself raises a few ethical dilemmas.

      I should also add one last point. If the server holding the private key goes down (it's been known to happen), then regardless of whether you pay the ransom or not, you'll never get your files back.

    • TechnoAngina
      October 30, 2013 at 3:01 pm

      Some people were getting their stuff back, it's why people pay up in the first place, but white hats(hackers for good) already took out the C&C(command and control) computers knocking out any ability to recover your file data. Most people were getting their files back before this, otherwise why pay up?

    • Lawrence Abrams
      October 30, 2013 at 3:21 pm

      Though it is recommended that you do not pay the ransom if at all possible, paying the ransom will initiate the decryption process. As for the C2 servers being taken out, that is not true. Some of them have been blackholed for monitoring reasons, but unfortunately the rest are still live and kicking.

      This is a double-edged sword. If you take them out noone else will get infected, but then there will be no way to pay the ransom and recover your files. Not an easy situation.

    • Vincent Lee
      January 9, 2014 at 2:21 pm

      We paid the ransom. It was the only thing to do. The ransomeware is real. If it was a single pc, I wouldn't be so concerned but for it affected our network shared folders and that was problematic because these are files that we need for our day to day business.

  91. netinfinity
    October 29, 2013 at 9:16 pm

    I would suggest that sensitive data should be encrypted and backed up on cloud storage. Use truecrypt in combination with spideroak (they have zero-knowledge policy) for example. Everything else is easy to revert (OS, programs etc) if something like this should happen.

    • Matthew H
      October 29, 2013 at 9:19 pm

      Sage advice! Thanks for your comment!

    • reed
      October 30, 2013 at 10:36 am

      what's the benefit of 'encrypted backup' in this context ? your encrypted files will be re-encrypted with different key (well, 99.999...% of the case)

    • Matthew H
      October 30, 2013 at 8:52 pm

      That's assuming that CryptoLocker goes after TrueCrypt volumes! It might not do!

  92. Yi
    October 29, 2013 at 8:05 pm

    Nope, because I use Chromebook ;)

    • Matthew H
      October 29, 2013 at 11:14 pm

      Good shout. :)

    • Matthew H
      October 29, 2013 at 11:21 pm

      That's a good call! Although, if you share a network share with a windows computer infected with CryptoLocker, you still wouldn't be able to access the files stored on the share. :(

  93. Tom W
    October 29, 2013 at 6:39 pm

    The most important things on my pc are code files, which are stored on an external server using subversion. I need a better backup for my emails though.

    • Matthew H
      October 29, 2013 at 9:03 pm

      If your server is accessible as a mounted network drive, then odds are good that your code can be compromised with CryptoLocker. Likewise if you've got it mounted as removable storage. Otherwise, I think you're fine!

    • Tom W
      October 30, 2013 at 11:36 am

      It's an external server, a Memset Miniserver hosted in their datacentre. The only link my computer has to it is the Repos I have set up.

  94. Scott M
    October 29, 2013 at 6:10 pm

    I'm assuming things like Dropbox and Skydrive would be equally affected? I don't think they have versioning, do they?

    • Matthew H
      October 29, 2013 at 6:12 pm

      Dropbox does, and you can revert to an earlier version from the browser. I don't know much about SkyDrive, however.

    • Lawrence Abrams
      October 30, 2013 at 3:23 pm

      Any drive letter on an infected computer will be scanned by CryptoLocker for matching file types and encrypted. UNC network shares are left alone. Therefore, if dropbox or skydrive are mapped to a drive letter then the infection WILL attempt to encrypt it. Dropbox allows you to restore your files to a previous date before they were infected, so you will be in good shape there.

    • Steve Rathbun
      October 30, 2013 at 9:34 pm

      Hey,Brian-I noticed that same thing on todays article. I've never seen that before.Recon what it is?

    • Vincent Lee
      January 9, 2014 at 2:20 pm

      Dropbox will be affected. We used this as a replication backup solution for our files and the files were corrupted. The best thing is to do a full backup using something Evault and store it offsite.

  95. Scott H
    October 29, 2013 at 6:01 pm

    Watch this then you will realize there no way you protect yourself once the quantum computer get in to public hands but this is a must watch it's a good doc it a must watch
    http://www.youtube.com/watch?v=_4NrrKTYmBI

    • Matthew H
      October 29, 2013 at 11:17 pm

      Interesting! I'll check that out! The University of Waterloo in Ontario has done some pretty interesting research on quantum computers too. Would be pretty excited to see what they're working on.

    • Brian
      October 30, 2013 at 4:07 pm

      My question is related to the article not it's subject. But what's going on with your formatting, see lines copied from the email I received. And this happens often.

      CryptoLocker Is The Nastiest Malware Ever & Hereâ??s What You Can Do

      the form of a ransom or a â??fineâ?? before access to

      Horrible, isnâ??t it? Well, get ready to meet

      If you donâ??t pay within three

      onto your system before itâ??s too

      Itâ??s also worth making sure that you

      see if theyâ??re suspect before

      consistent with what youâ??d

      circumstances, Iâ??d encourage

      However, if you donâ??t pay the ransom

      everything youâ??ve been working

      Iâ??ll leave the floor to you, the reader.

    • david
      November 8, 2013 at 10:19 am

      is it possible to that virus encrypt my acronis backup, wich i saved in my HDD?
      (tib file)

Leave a Reply

Your email address will not be published. Required fields are marked *