{"id":1031,"date":"2013-12-19T14:32:01","date_gmt":"2013-12-19T18:32:01","guid":{"rendered":"http:\/\/mikemartinezonline.com\/blog\/?p=1031"},"modified":"2013-12-19T14:32:01","modified_gmt":"2013-12-19T18:32:01","slug":"cryptolocker-news","status":"publish","type":"post","link":"https:\/\/mikemartinezonline.com\/blog\/2013\/12\/19\/cryptolocker-news\/","title":{"rendered":"CryptoLocker news"},"content":{"rendered":"<p>Okay folks, here we go again. More ransomware is spreading and it can hit you. <font size=\"1\">[Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system&#8217;s hard drive (cryptoviral extortion), while some may simply lock the system and display messages intended to coax the user into paying.]<\/font><\/p>\n<p>Ransomware\/Malware that encrypts your data and tries to sell it back to you, or else, is not new. In fact, one of the earliest pieces of malware that was written specifically to make money, rather than simply to prove a point, was the AIDS Information Trojan of 1989. That Trojan scrambled your hard disk after 90 days, and instructed you to send $378 to an accommodation address in Panama.<\/p>\n<p>Enter the latest Menace \u2013 <strong>CryptoLocker<\/strong>. If you have become seriously infected and do not take IMMEDIATE remedial steps, there is, sadly, not much you can do <u>[unless you have full \u2018offline\u2019 backups as I am always ranting about]<\/u> but pay up!<\/p>\n<p>This is getting some recent much needed attention by the press. Here is a recent <a href=\"http:\/\/boston.cbslocal.com\/2013\/12\/18\/cryptolocker-ransomware-being-described-as-the-perfect-crime\/\">short article<\/a>. A Google search will turn up hundreds more.<\/p>\n<p><strong><u><font size=\"2\">The endgame is the same in all cases: if you have a reliable and recent backup, you&#8217;ll have a good chance of recovering without too much trouble.<\/font><\/u><\/strong><\/p>\n<p><strong><u><font size=\"2\">Prevention, in this case, is significantly better than cure:<\/font><\/u><\/strong><\/p>\n<ul>\n<li><strong><u><font size=\"2\">Stay patched. Keep your operating system and software up to date. <\/font><\/u><\/strong><\/li>\n<li><strong><u><font size=\"2\">Make sure your anti-virus is active and up to date. <\/font><\/u><\/strong><\/li>\n<li><strong><u><font size=\"2\">Avoid opening attachments you weren&#8217;t expecting, or from people you don&#8217;t know well. <\/font><\/u><\/strong><\/li>\n<li><strong><u><font size=\"2\">Make regular backups, and store them somewhere safe, preferably offline. <\/font><\/u><\/strong><\/li>\n<\/ul>\n<p><strong><u><font color=\"#ff0000\" size=\"2\"><em>Don&#8217;t forget that services that automatically synchronise your data changes with other servers, for example in the cloud, don&#8217;t count as backup!!<\/em><\/font><\/u><\/strong><\/p>\n<p><strong><u><font color=\"#ff0000\" size=\"2\"><em>They may be extremely useful, but they tend to propagate errors rather than to defend against them.<\/em><\/font><\/u><\/strong><\/p>\n<p><strong><u>What is CryptoLocker<\/u><\/strong><\/p>\n<p><strong>CryptoLocker<\/strong> is a ransomware program that was released around the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This ransomware will encrypt certain files using a mixture of RSA &amp; AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.<\/p>\n<p><strong>How do you become infected with CryptoLocker<\/strong><\/p>\n<p><strong>This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. An unsuspecting computer user will either get an email purporting to be from their bank, friends, Facebook or a host of other fake senders or be asked to click on a pop up in a Website. The person thinks it\u2019s legitimate, clicks on it and before they know it the virus is installed on their computer which encrypts their data. The person will be given a time period, for instance 72 hours, to make a payment in exchange for the key to decrypt all the data. Refuse and the data on the hard drive will be gone forever. <\/strong><\/p>\n<p>These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. <strong>Since Microsoft does not show extensions by default, they look like normal PDF files <u>and people open them.<\/u><\/strong><\/p>\n<p>Please make sure that your antivirus\/malware software and systems are up to date. And for Pete&#8217;s sake do NOT open attachments from the likes of those listed. IF you think you need to track something go to the \u2018front door\u2019 of the shipping company or bank and login\/track there.<\/p>\n<p><strong><u>Once YOU infect yourself (yes, it is an action taken by the user that starts the infection!!)<\/u><\/strong> <strong>[Like any other piece of malware, common sense goes a long way. The critical thing is it\u2019s not going to install files by itself. You have to initiate some action<\/strong>.<strong>]<\/strong> <strong>you will soon probably see a screen that looks like this:<\/strong><\/p>\n<p><a href=\"https:\/\/mikemartinezonline.com\/blog\/wp-content\/uploads\/2013\/12\/CryptoLocker-thmb.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"CryptoLocker-thmb\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"CryptoLocker-thmb\" src=\"https:\/\/mikemartinezonline.com\/blog\/wp-content\/uploads\/2013\/12\/CryptoLocker-thmb_thumb.jpg\" width=\"465\" height=\"363\" \/><\/a><\/p>\n<p>Examples of known CryptoLocker email subjects include:<\/p>\n<table cellspacing=\"0\" cellpadding=\"0\" border=\"0\">\n<tbody>\n<tr>\n<td>\n<p>USPS &#8211; Your package is available for pickup ( Parcel 173145820507 )<\/p>\n<\/td>\n<td>\n<p>USPS &#8211; Missed package delivery (&quot;USPS Express Services&quot; &lt;service-notification@usps.com&gt;)<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>USPS &#8211; Missed package delivery<\/p>\n<\/td>\n<td>\n<p>FW: Invoice &lt;random number&gt;<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>ADP payroll: Account Charge Alert<\/p>\n<\/td>\n<td>\n<p>ACH Notification (&quot;ADP Payroll&quot; &lt;*@adp.com&gt;)<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>ADP Reference #09903824430<\/p>\n<\/td>\n<td>\n<p>Payroll Received by Intuit<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Important &#8211; attached form<\/p>\n<\/td>\n<td>\n<p>FW: Last Month Remit<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>McAfee Always On Protection Reactivation<\/p>\n<\/td>\n<td>\n<p>Scanned Image from a Xerox WorkCentre<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Scan from a Xerox WorkCentre<\/p>\n<\/td>\n<td>\n<p>scanned from Xerox<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Annual Form &#8211; Authorization to Use Privately Owned Vehicle on State Business<\/p>\n<\/td>\n<td>\n<p>Fwd: IMG01041_6706015_m.zip<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>My resume<\/p>\n<\/td>\n<td>\n<p>New Voicemail Message<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Voice Message from Unknown (675-685-3476)<\/p>\n<\/td>\n<td>\n<p>Voice Message from Unknown Caller (344-846-4458)<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Important &#8211; New Outlook Settings<\/p>\n<\/td>\n<td>\n<p>Scan Data <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>FW: Payment Advice &#8211; Advice Ref:[GB293037313703] \/ ACH credits \/ Customer Ref:[pay run 14\/11\/13]<\/p>\n<\/td>\n<td>\n<p>Payment Advice &#8211; Advice Ref:[GB2198767]<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>New contract agreement. <\/p>\n<\/td>\n<td>\n<p>Important Notice &#8211; Incoming Money Transfer<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Notice of underreported income<\/p>\n<\/td>\n<td>\n<p>Notice of unreported income &#8211; Last months reports<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Payment Overdue &#8211; Please respond<\/p>\n<\/td>\n<td>\n<p>FW: Check copy<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Payroll Invoice<\/p>\n<\/td>\n<td>\n<p>USBANK<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Corporate eFax message from &quot;random phone #&quot; &#8211; 8 pages (random phone # &amp; number of pages)<\/p>\n<\/td>\n<td>\n<p>past due invoices<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>FW: Case FH74D23GST58NQS<\/p>\n<\/td>\n<td>\n<p>Symantec Endpoint Protection: Important System Update &#8211; requires immediate action<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong><u>What should you do when you discover your computer is infected with CryptoLocker<\/u><\/strong><\/p>\n<p><strong><em>When you discover that a computer is infected with CryptoLocker, the first thing you should do is disconnect it from your wireless or wired network. This will prevent it from further encrypting any files. Some people have reported that once the network connection is disconnected, it will display the CryptoLocker screen. <\/em><\/strong><\/p>\n<p><strong><em><u>Users who are infected with the malware should IMMEDIATELY consult with a reputable security expert to assist in removing the malware. And should NOT attempt to mitigate or in anyway try to \u2018fix\u2019 the issue themselves \u2013 this will only insure the loss of data!!<\/u><\/em><\/strong><\/p>\n<p>It is not advised that you remove the infection from the %AppData% folder until you decide if you want to pay the ransom. If you do not need to pay the ransom, simply delete the Registry values and files and the program will not load anymore. You can then restore your data via other methods.<\/p>\n<p>It is important to note that the CryptoLocker infection spawns two processes of itself. If you only terminate one process, the other process will automatically launch the second one again. Instead use a program like <a href=\"http:\/\/live.sysinternals.com\/procexp.exe\">Process Explorer<\/a> and right click on the first process and select <strong>Kill Tree<\/strong>. This will terminate both at the same time.<\/p>\n<p><strong><u><a name=\"decrypt\"><\/a>Is it possible to decrypt files encrypted by CryptoLocker?<\/u><\/strong><\/p>\n<p>Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup or Shadow Volume Copies if you have System Restore enabled. Newer variants of CryptoLocker attempt to delete the Shadow Copies, but it is not always successful. <u><em><strong>There are methods that can\/may be used to recovery you \u2018Shadow Copies\u2019, but this often times requires an expert.<\/strong><\/em><\/u><\/p>\n<p><strong><u><font size=\"2\">If you do not have System Restore enabled on your computer or reliable backups, then you will need to pay the ransom in order to get your files back.<\/font><\/u><\/strong> <\/p>\n<p>So to summarize the very first line of defense is to have good computing common sense and usage. Second if my usual mantra <font size=\"4\"><u><strong>FULL IMAGE BACKUPS ON A REGULAR BASIS TO EXTERNAL\/REMOVABLE MEDIA. I can\u2019t say this enough. And I\u2019m sure to get the calls from folks who are screwed.<\/strong><\/u><\/font><font size=\"2\"> I sympathize, a little anyways.<\/font><\/p>\n<p><font size=\"2\">Okay end rant. Be safe. Peace all.<\/font><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Okay folks, here we go again. More ransomware is spreading and it can hit you. [Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt &hellip; <a href=\"https:\/\/mikemartinezonline.com\/blog\/2013\/12\/19\/cryptolocker-news\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;CryptoLocker news&#8221;<\/span><\/a><\/p>\n","protected":false},"author":587,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[21,13,151,61,11],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/posts\/1031"}],"collection":[{"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/users\/587"}],"replies":[{"embeddable":true,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/comments?post=1031"}],"version-history":[{"count":1,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/posts\/1031\/revisions"}],"predecessor-version":[{"id":1032,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/posts\/1031\/revisions\/1032"}],"wp:attachment":[{"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/media?parent=1031"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/categories?post=1031"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/tags?post=1031"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}