There’s a new type of malicious software in town. It’s called CryptoLocker. It doesn’t fool around.
CryptoLocker falls into the category of “Ransomware”. Ransomware programs take over part or all of your computer, and offers to return it to you when you pay money. You have probably heard about the popular “FBI Virus”, which popped up on the screen accusing the user of all kinds of illegal activity, and said that the computer could be used again once the $300 “penalty” had been paid. Of course, when the victim paid the $300, the computer remained unusable and in need of repair. However, in most cases, the files and folders on the computer such as Documents and Pictures were still there and undamaged.
CryptoLocker is different.
When CryptoLocker first gets on your computer, it works completely silently in the background. You won’t see anything out of the ordinary happening.
The first thing it does is look for the typical files that people consider important – documents, pictures, emails, that kind of thing. The stuff you would NOT want to lose.
Then it encrypts those files, identifies your computer, and sends the information back to the creator(s) of the program. I won’t go into how encryption works (Wikipedia explains it well here). The important thing to know is that if you don’t have the key (kind of like a long password) to decrypt the files, you won’t get them back. There is no one in the world that you could hire to crack the code and get your files back; you need that key.
Once your files are encrypted, that’s when CryptoLocker presents itself. You will see a window pop up, with the CryptoLocker logo, some text, and a countdown timer. It looks like this:
If the text is too small for you to read, here is what it says:
Your important files encryption on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.
The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After nobody and never will be able to restore files…
To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USD/ 100 EUR/ similar amount in another currency.
Click <Next> to select the method of payment and the currency.
Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.
The text may not be grammatically correct, but based on the experiences of computer users that have encountered this, it is all true. The program is not bluffing. (Note: the image above shows an early version of the program – the current version demands $300).
The countdown timer starts and you have to respond within (I believe) 72 hours, or about 3 days. If you don’t pay before the timer runs out, the decryption key is destroyed and you will never be able to access those files.
Here’s the twist with this scam: if you DO pay the $300, you will get the decryption key, and your files will be unlocked for you. Then, the program will uninstall itself and you’re happy again (albeit $300 poorer). At least that has been the experience of several victims so far. From a psychological standpoint, this is rather a smart strategy by the bad guys – word has now gotten around that if you pay, you WILL get your files back, so people are a lot more likely to just pay up.
Some of you might be thinking of some solutions to this without paying:
- Restart the computer. Nope, the timer continues.
- Use System Restore to take the computer back to an earlier date. Nice idea, but the files will still be encrypted. And now you won’t have a chance to enter your payment info and get the key.
- Uninstall the program. Actually, getting rid of the program is not all that difficult. But your files are still encrypted.
There is a way to get your files back, but it requires taking action before your computer gets infected. What you need is called a cold storage backup. That might sound complicated, but it’s actually pretty simple.
For quite some time, I have been using and recommending an automated, online backup process. I’ve set this up for a lot of my clients (and for a few it has been a lifesaver when their hard drive crashed). However, your online backup only keeps a specific backup for 30 days. After that time, the oldest one goes away and the newest one is stored. And the newest one is the one that has your files encrypted. That means that after 30 days, all of your online backups will be encrypted. Yes, you will probably notice the problem before that, but it’s definitely not a good solution to rely on.
We definitely still need the online (offsite) backup, but we will now be adding a local backup to the process. These are the basic steps:
- Connect an external drive to the computer.
- Copy all of your important files to the external drive.
- Disconnect the external drive from the computer (this is why the backup is called “cold storage” – because that drive is mostly NOT connected to the computer.
You need to do that process as often as you want to. It can be daily, weekly, monthly, whatever you are comfortable with. Step 3 is very important. If the CryptoLocker virus gets in when the external drive is connected, it will encrypt the external drive also.
There are programs that can automate a lot of the local backup process. I am in the process of checking out several, and I’m planning on having one to recommend by my next blog post.
In the meantime, if you don’t already have an external drive, I recommend that you go get one. I just bought a Toshiba portable drive (1 terabyte) at Walmart for just $62. A drive that holds 1 tb should be big enough for just about everyone.
But please don’t ignore this or put it off. You need an automated online backup (I can set this up for you in about 10 minutes, through remote access). And thanks to CryptoLocker, you now need a local backup as well. Don’t let the bad guys catch you procrastinating.