Cryptolocker ransomware means changes to our backup process

by
Play

There’s a new type of malicious software in town.  It’s called CryptoLocker.  It doesn’t fool around.

CryptoLocker

CryptoLocker logo

 

CryptoLocker falls into the category of “Ransomware”.  Ransomware programs take over part or all of your computer, and offers to return it to you when you pay money.  You have probably heard about the popular “FBI Virus”, which popped up on the screen accusing the user of all kinds of illegal activity, and said that the computer could be used again once the $300 “penalty” had been paid.  Of course, when the victim paid the $300, the computer remained unusable and in need of repair.  However, in most cases, the files and folders on the computer such as Documents and Pictures were still there and undamaged.

CryptoLocker is different.



When CryptoLocker first gets on your computer, it works completely silently in the background.  You won’t see anything out of the ordinary happening.

The first thing it does is look for the typical files that people consider important – documents, pictures, emails, that kind of thing.  The stuff you would NOT want to lose.

Then it encrypts those files, identifies your computer, and sends the information back to the creator(s) of the program.  I won’t go into how encryption works (Wikipedia explains it well here).  The important thing to know is that if you don’t have the key (kind of like a long password) to decrypt the files, you won’t get them back.  There is no one in the world that you could hire to crack the code and get your files back; you need that key.

Once your files are encrypted, that’s when CryptoLocker presents itself.  You will see a window pop up, with the CryptoLocker logo, some text, and a countdown timer.  It looks like this:

CryptoLocker

 

If the text is too small for you to read, here is what it says:

Your important files encryption on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.

Encryption was produced using a unique public key RSA-2048 generated for this computer.  To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After nobody and never will be able to restore files…

To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USD/ 100 EUR/ similar amount in another currency.

Click <Next> to select the method of payment and the currency.

Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.

The text may not be grammatically correct, but based on the experiences of computer users that have encountered this, it is all true.  The program is not bluffing.  (Note: the image above shows an early version of the program – the current version demands $300).

The countdown timer starts and you have to respond within (I believe) 72 hours, or about 3 days.  If you don’t pay before the timer runs out, the decryption key is destroyed and you will never be able to access those files.

Here’s the twist with this scam: if you DO pay the $300, you will get the decryption key, and your files will be unlocked for you.  Then, the program will uninstall itself and you’re happy again (albeit $300 poorer).  At least that has been the experience of several victims so far.  From a psychological standpoint, this is rather a smart strategy by the bad guys – word has now gotten around that if you pay, you WILL get your files back, so people are a lot more likely to just pay up.

Some of you might be thinking of some solutions to this without paying:

  • Restart the computer.  Nope, the timer continues.
  • Use System Restore to take the computer back to an earlier date.  Nice idea, but the files will still be encrypted.  And now you won’t have a chance to enter your payment info and get the key.
  • Uninstall the program.  Actually, getting rid of the program is not all that difficult.  But your files are still encrypted.

There is a way to get your files back, but it requires taking action before your computer gets infected.  What you need is called a cold storage backup.  That might sound complicated, but it’s actually pretty simple.

For quite some time, I have been using and recommending an automated, online backup process.  I’ve set this up for a lot of my clients (and for a few it has been a lifesaver when their hard drive crashed).  However, your online backup only keeps a specific backup for 30 days.  After that time, the oldest one goes away and the newest one is stored.  And the newest one is the one that has your files encrypted.  That means that after 30 days, all of your online backups will be encrypted.  Yes, you will probably notice the problem before that, but it’s definitely not a good solution to rely on.

We definitely still need the online (offsite) backup, but we will now be adding a local backup to the process.  These are the basic steps:

  1. Connect an external drive to the computer.
  2. Copy all of your important files to the external drive.
  3. Disconnect the external drive from the computer (this is why the backup is called “cold storage” – because that drive is mostly NOT connected to the computer.

You need to do that process as often as you want to.  It can be daily, weekly, monthly, whatever you are comfortable with.  Step 3 is very important.  If the CryptoLocker virus gets in when the external drive is connected, it will encrypt the external drive also.

There are programs that can automate a lot of the local backup process.  I am in the process of checking out several, and I’m planning on having one to recommend by my next blog post.

In the meantime, if you don’t already have an external drive, I recommend that you go get one.  I just bought a Toshiba portable drive (1 terabyte) at Walmart for just $62.  A drive that holds 1 tb should be big enough for just about everyone.

But please don’t ignore this or put it off.  You need an automated online backup (I can set this up for you in about 10 minutes, through remote access).  And thanks to CryptoLocker, you now need a local backup as well.  Don’t let the bad guys catch you procrastinating.

listen to my podcast in iTunes

Share this post

20 comments Add your comment »

Get updates when new comments are added. Subscribe to the comments RSS Feed

Shawn Morrison
September 30th, 2013

Hi Scott

I’ve been thinking about getting a external drive as a backup anyway but WOW…this is kinda scary. I personally know someone that fell victim to the FBI scam and had to have their computer cleaned. They are older folks and not computer savvy so I’m pretty sure they just weren’t careful with opening files sent in emails. My question is, doesn’t a good security program protect from this kind of thing? Thanks for your posts…I learn something new every time 🙂

Lloyd Ellison
September 30th, 2013

What do you think about Panda anti Virus program?

++++++++++++++++++++++++++
Regarding today’s comments:

Do you recommend turning your External Drive On and Off every day? That does not appear to be a 100% cure for the encryption threat.

Scott Johnson
September 30th, 2013

I have not used Panda antivirus so I can’t really comment first-hand.

Scott Johnson
September 30th, 2013

Good question Shawn – this is something I will address in a future blog post and podcast. No antivirus is 100% foolproof, but it goes beyond that. Thanks!

Joan Peterson
September 30th, 2013

Good grief! I wish I could understand why there are people who gain such pleasure out of hurting others. Up to now, I have heard mostly of viruses being inserted just for the fun of it. Now it’s for money. Is there any attempt you are aware of to track down these creeps? Seems to me the money angle gives the whole thing a new smell. Scamming and spamming and inserting viruses are one thing; when you add the demand for money, you definitely commit a felony. While I await your response, I will go out and spend money I can’t afford to buy an external drive. Looks like either way, these idiots are costing us.

Scott Johnson
September 30th, 2013

It’s difficult to bring these guys to justice when they could be anywhere in the world, and are not under US jurisdiction.

Marge
October 1st, 2013

Scott, you’re saying that there is no way in the world to avoid getting this Cryptolocker on our computer (except luck)??? I have 3 external hard drives and each one is turned on only when I do my automated backup using Second Copy. I turn one on each night and turn it off when Second Copy is done. But who feels like doing a copy and paste of all my stuff? Yes, I can do it but who wants to?

There’s no way to prevent this Cryptolocker from doing a home invasion?

Scott Johnson
October 1st, 2013

It can be prevented, but not by relying strictly on software such as the antivirus or Malwarebytes software. This is not detected as a virus, because it is usually allowed in by the user (unknowingly). I will be doing a future blog post on this. If you are already doing a cold storage backup, then your data should be safe as long as that external drive is safe.

Marge
October 1st, 2013

Thanks, Scott. I enjoy your computer tips. Thanks very much for your good work.

Mike Wilson
October 3rd, 2013

Hi Scott, I was googleing this very subject after reading about it on technibble. I recognize you from there. I am trying to decide what to do to make sure my customers are protected. I support several freenas boxes. I run ShadowProtect backups to them. For those I am thinking, just make sure the network shares to access the backups are secured and take periodic ZFS snapshots in the nas. But this is really going to be a pain for my customers that just have USB drives attached to PCs. I am wondering if a script could mount the usb device before the backup and dismount it afterwards. I would also probably need to eject the drive after a reboot. Not sure how I would be able to verify the images with image manager though.

Scott Johnson
October 3rd, 2013

Yeah, I have read about ShadowProtects but I try to keep everything as simple as possible. I thought about the same thing too – maybe some script that would simulate plugging and unplugging the external drive from the USB. Haven’t seen anything like that though. I’m sure it could be written though.

Jason
October 9th, 2013

Excellent write up. Thank you for this reference.

Arun
October 11th, 2013

Is there any solution to revert data back?

Scott Johnson
October 11th, 2013

Arun – as explained in the post, the only way to decrypt the files is with the decryption key.

JOSS
October 11th, 2013

I need a solution!!! I can´t open any file in my server.

How can i resolve this problem?

Scott Johnson
October 11th, 2013

Joss, you may find that your only solution is to follow the instructions on the countdown timer and make the $300 payment that it’s requesting. That has worked for some victims. Of course, no one can guarantee that it will work so you would be risking the loss of that money.

Nigel
October 11th, 2013

I visited a new client today, that became new because of this. When I asked them what their backup protocol was, it was a USB hard drive that they sometimes forget to plug in. They haven’t plugged it in since July – UNEBELIEVABLE Unfortunately they have been hit with this.

They have paid. Paying DOES work, it cost them 2 bitcoins, £168.

The guy that has written this is incredible, however he should be hunted down and made to use his immense skills for GOOD not EVIL.

I am watching my clients PC remotely and it is still decryting, it is working, slowly.

I will be implementing a proper backup service for them, both online and “cold storage” which is a great idea !!

Jesse
October 14th, 2013

I have an IDB backup solution on a Lotus Foundations Start server and thought I was doing the right thing. We had a laptop get infected and had the server as a mapped drive. I have tried to restore files from the IDB backup disks and I get nothing! I still can’t open the files. Is it not letting me overwrite the encrypted file or am I missing something?

Scott Johnson
October 14th, 2013

I recommend that you let someone local look at it to determine the best strategy.