There’s a new computer virus making its way through the virtual world, and it not only locks up your files, it forces you to pay a ransom in order to get them back.
It’s called CryptoLocker, and it’s a kind of ransomware circulating the globe. International law enforcement isn’t sure where it’s coming from, but they are well aware of the impact it’s having on computer users.
Britain’s National Crime Agency (NCA) has issued an “urgent alert” to computer users about the threat posed by the CryptoLocker malware.
A CryptoLocker attack may come from various sources; one such is disguised as a legitimate email attachment. When activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers. The malware then displays a message which offers to decrypt the data if a payment is made by a stated deadline, and says that the private key will be deleted and unavailable for recovery if the deadline passes. If the deadline is not met, the malware offers to decrypt data via an online service provided by the malware’s operators, for a significantly higher price in.
Although CryptoLocker itself is readily removed, files remain encrypted in a way which researchers have considered infeasible to break. Many say that the ransom should not be paid, but do not offer any way to recover files; others say that paying the ransom is the only way to recover files that had not been backed up.
The CryptoLocker popup directs you to what’s called a virtual currency website, in this case one called BitCoin, where users pay real money for virtual money. The hackers can then anonymously access that virtual money and use it online just like the real thing.
While security software is designed to detect such threats, it might not detect CryptoLocker at all, or only after encryption is underway or complete, particularly if a new version unknown to the protective software (a zero-day exploit) is distributed. If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (a relatively simple process) before it has completed would limit its damage to data. Experts suggested precautionary measures, such as using software or other security policies to block the CryptoLocker payload from launching.
Due to the nature of CryptoLocker’s operation, some experts reluctantly suggested that paying the ransom was the only way to recover files from CryptoLocker in the absence of backups (in particular, offline backups that are inaccessible from the network, or from a continuous data protection system such as Windows’ Shadow Copy mechanism). Due to the length of the key employed by CryptoLocker, they considered it practically impossible to use a brute-force attack to obtain the key needed to decrypt files without paying; the similar 2008 worm Gpcode.AK used a 1024-bit key that was believed to be large enough to be computationally infeasible to break without a concerted distributed effort, or the discovery of a flaw that could be used to break the encryption.
In late October 2013 security vendor Kaspersky Labs reported that a DNS sinkhole had been created to block some of the domain names used by CryptoLocker.
On November 6, a police computer in the town of Swansea, Massachusetts, was infected by the malware, and the cops called in the FBI to investigate. However, in order to get access to the system the baffled coppers decided that it would be easier to pay the ransom of 2 BTC, then worth around $750, and received the private key to unlock the computer’s data on November 10.
“It was an education for [those who] had to deal with it,” Swansea police lieutenant Gregory Ryan told the Herald News. “The virus is so complicated and successful that you have to buy these Bitcoins, which we had never heard of.”
Ryan said that essential police systems weren’t affected by the infection, and federal agents are still investigating the infection, hopefully to find clues that’ll lead the Feds to the malware’s writer. The software nasty is thought to have been the work of Eastern European criminal gangs, but no one knows for sure.
“The virus is not here anymore,” Ryan said. “We’ve upgraded our antivirus software. We’re going to try to tighten the belt, and have experts come in, but as all computer experts say, there is no foolproof way to lock your system down.”
Cryptolocker is a serious threat. If you’re unlucky enough to have your computer infected by it, and haven’t taken precautions, you may find yourself in the unpleasant situation of having to choose whether to pay the ransom, or never gain access to your data again.
That means you’re saying goodbye to your family photographs, and any other personal data you have amassed over the years. If you’re a business then the potential losses could be even more significant.
The answer is three-fold.
-Firstly, protect your computer from becoming infected by keeping it up-to-date with anti-virus and security patches. Also be cautious of opening unsolicited email attachments or clicking on unknown links. If you are security savvy you can reduce the chances of being hit by a threat like CryptoLocker.
-Secondly, consider setting a software restriction policy on your Windows PCs that prevents executables from running from certain locations on your hard drive.
-Finally, for goodness sake, make backups of your important data and keep them separate from your computer (to prevent malware like CryptoLocker from encrypting your backups as well) That way, if the worst does happen, you should be able to restore your valuable data and not pay up to the crooks.