Interesting new virus: Cryptolocker

[Lsbcal]

Virus checkers apparently won't yet help:

First, you see a red banner on your computer system, warning that your files are now encrypted — and if you send money to a given email address, access to your files will be restored to you.

The other sign you’ve been hit: you can no longer open Office files, database files, and most other common documents on your system. When you try to do so, you get another warning, such as “Excel cannot open the file [filename] because the file format or file extension is not valid,” as stated on a TechNet MS Excel Support Team blog.

The article on it is here: CryptoLocker: A particularly pernicious virus

The free newsletter from Windows Secrets is about the only newsletter I subscribe to and often mentions interesting things like this.

Another reason to backup regularly.

 

[ERD50]

Sounds nasty.

Does it affect Mac OS-X, or Linux?

-ERD50

 

[Lsbcal]

According to Wikipedia it may only be Windows: CryptoLocker - Wikipedia, the free encyclopedia

CryptoLocker is a program which attacks a computer by encrypting many types of data files in place, which makes them inaccessible, then displaying a message demanding payment (typically of $100 or $300, to be made via MoneyPak, Ukash, cashU or Bitcoin) within a certain period of time (typically 100 or 72 hours), with a promise to decrypt the files and restore the computer to working order on receipt.

... Some, reluctantly, accept that payment may be the only way to recover data[2]. Symantec reports that 3% of victims pay the ransom.[5] There are several variants of CryptoLocker with different ransom amounts and deadline times. People who have paid the ransom say that verification of payment can take three to four hours, after which the Cryptolocker starts decrypting files. This can take a considerable time. There have been some reports that the decryption process may display an error message stating that a particular file cannot be decrypted, although decryption does not stop and other files continue to be decrypted.

 

[Payin-the-Toll]

Ha---bet it can't crack my 7 year-old Dell with Vista and Uverse with free McAfee security!

 

[rbmrtn]

Sounds nasty.

Does it affect Mac OS-X, or Linux?

-ERD50

Sarcasm ?

 

[rbmrtn]

According to Wikipedia it may only be Windows: CryptoLocker - Wikipedia, the free encyclopedia

Sounds a lot like the FBI moneypack virus. Cleaning one today for a friend.

 

[ERD50]

Sarcasm ?

Just checking.




Well, Ok maybe a little....

The computers I manage for family are all Macs, mine is Linux. But I am replacing a bad Hard Drive for my DIL in her Windows HP Laptop, so I'll watch for this. Need to install Win7, if she can find her disks, else I guess they can be DL'd from MS or HP, I've got the key code on the MS sticker.

-ERD50

 

[rbmrtn]

Need to install Win7, if she can find her disks, else I guess they can be DL'd from MS or HP, I've got the key code on the MS sticker.

-ERD50

The original HP disk will be easier, self activating don't need the product key. The key on the sticker won't work without making a phone call to get the activation code.

 

[target2019]

This page is helpful.
Megacorp sent me something recently, a PDF file, trying to get me to click on it. That is the attack vector of CryptoLocker. A PDF that is actually an executable zip file.

I was tempted to click it and see what prize our security would send.

 

[JoeWras]

Another reason I'm not a fan of bitcoin. bitcoin is one of the accepted ransom payment methods.

 

[photoguy]

According to Wikipedia it may only be Windows: CryptoLocker - Wikipedia, the free encyclopedia

The first article says that one method of infection is through browser java. So I suppose even if this particular virus doesn't affect macs/linux a similar one could in the future (if you don't turn off java).

I usually have a couple backups of my files so the encrypted files would have to propagate to all of them before I was totally screwed. On the other hand, just having to check which files needed to be restored would be an immense pain (if one couldn't figure it out by date).

 

[Chuckanut]

Here's the advice from the Windows Secrets people on this new threat:

http://windowssecrets.com/top-story/cryptolocker-a-particularly-pernicious-virus/

 

[sengsational]

Here's the advice from the Windows Secrets people on this new threat:

CryptoLocker: A particularly pernicious virus

The attack vector is an exe file "disguised" as a pdf (aka "blah.pdf.exe").

The recommendations there don't even mention the obvious: Don't click on email attachments, especially those ending in "exe"

 

[imoldernu]

Another website (protect against)
Cryptolocker: How to avoid getting infected and what to do if you are - Computerworld

The virus is, of course, an executable attachment, but interestingly the icon representing the executable is a PDF file. With Windows' hidden extensions feature, the sender simply adds ".pdf" to the end of the file (Windows hides the .exe) and the unwitting user is fooled into thinking the attachment is a harmless PDF file from a trusted sender. It is, of course, anything but harmless.

The instructions are Greek to me... So I'm vulnerable.

Going to watch my emails little more closely... and just hope that guy in England was honest, and that I DID win the lottery.

snopes "take"
http://www.snopes.com/computer/virus/cryptolocker.asp

 

[Chuckanut]

One thing I sure won't do is to send them any money. Even if they do free up your computer there is no guarantee they haven't left some type of keyboard recorder or other spyware on it.

 

[Lsbcal]

Another website (protect against)
Cryptolocker: How to avoid getting infected and what to do if you are - Computerworld



The instructions are Greek to me... So I'm vulnerable.

Going to watch my emails little more closely... and just hope that guy in England was honest, and that I DID win the lottery.

snopes "take"
snopes.com: CryptoLocker

I think what you referenced means that the nasty file is named something like: niceFile.pdf.exe
Since Windows does not usually show the ".exe" extension, the user might think he is getting to see a PDF file named "nicefile.pdf". Clicking on the file starts executing (the executable) file.

 

[harley]

Sounds a lot like the FBI moneypack virus. Cleaning one today for a friend.

The difference is that FBI moneypak (which I got a couple of months ago) doesn't really do anything. Cryptolocker actually encrypts your files and you lose them if you don't have a backup. Particularly nasty piece of work. It looks for standard extensions like .doc, .jpg, etc. If you get it the first thing to do is shut down your internet connection to minimize the damage.

If anyone is interested, bleepingcomputer.com has a good write up on it. CryptoLocker Ransomware Information Guide and FAQ

 

[Lsbcal]

One extremely simple backup technique I use on my Win 8 PC is to copy "My Documents" which has all my important data files to a removable hard drive under a folder like "Docs, Oct 27". Done weekly and it's only about 2GB so is fast. Does not include pictures, just data files.

This has helped in the past when I've accidentally munged a file and need to grab some data off the backup quickly. Or it would definitely help with so called ransomware.

Of course, I also do a standard Windows software backup too but the files then have to be restored by Windows.

 

[imoldernu]

One extremely simple backup technique I use on my Win 8 PC is to copy "My Documents" which has all my important data files to a removable hard drive under a folder like "Docs, Oct 27". Done weekly and it's only about 2GB so is fast. Does not include pictures, just data files.

This has helped in the past when I've accidentally munged a file and need to grab some data off the backup quickly. Or it would definitely help with so called ransomware.

Of course, I also do a standard Windows software backup too but the files then have to be restored by Windows.

I think the important part of this, from what I understood... is that any backup should not be connected, meaning that the virus has the capability of infecting any "connected" drive.

The solution in the "fixit" link was to insert program coding to block the virus... I know this was beyond my capabilities, and it looked as if the "block" would cause other problems in the operating system.

My current solution is to "hope I don't get tagged".... Am not smart enough understand this. Just hoping that because the virus has not been at the top of the news, that the infection is limited.

Am keeping my 2T drive unplugged except when I'm using it.

This whole problem seems like the African Pirate ships... holding hostages. Thought the part about the Hackers having integrity because they would be honest and clean your system after you paid the ransom... was extremely funny.

 

[Lsbcal]

Yep, the removable part of the backup is key. My main concern is a burglary where the guy takes my PC. I want the backup to be out of easy access. OK, if it's the CIA I'm hosed.

I think the argument for the hackers fixing things once the ransom is paid is that if they do this, the word will get out that the payment is a true fix. If they don't do the fix then people will stop paying. Seems like a strange world nowadays. Still not as bad as Stalin or Hitler.

 

[Fermion]

I really don't understand why you can't have the registry and startup sections locked on your computer in such a way that it requires a password before files can be written or changed there.

All of these viruses put stuff in the registry and startup sections.

Maybe this would be a good business product?

 

[martyb]

Sounds a lot like the FBI moneypack virus. Cleaning one today for a friend.

I've used Norton Power Eraser to get rid of the moneypack virus a couple of times.

 

[bondi688]

Does the computer get infected automatically if you click on an email link or you have to run and install the exe program? I delete anything with an unknown exe program, but if the computer get infected just by calling up the email, it is much trickier to avoid infection.

 

[easysurfer]

Well, believe or not, at least there is customer service from the crooks :

Within the past few days, the criminal gang behind CryptoLocker created a site for people who need help making their required extortion payments.


Source: CryptoLocker
"These guys have some big cojones," said security expert Brian Krebs, who writes the KrebsOnSecurity blog.

The CryptoLocker Decryption Service enables victims to check the status of their "order" (the ransom payment) and complete the transaction. Yes, you are reading this correctly!

CryptoLocker crooks launch 'customer service' site

 

[bjorn2bwild]

My solution to any malware attack is to keep a regularly updated clone of my hard drive.
No matter what happens to my computer, I can have a fresh drive in just a few minutes. Problem solved.