CryptoLocker Critical Security Alert

Critical Security Alert

 

Please be advised that Alvaka Networks is notifying it's clients and partners of a particularly malicious and destructive form of malware or “Ransomware” referred to as CryptoLocker. 

Whereas the vast majority of malware is written to stealthily replicate with minimal impact to users, CryptoLocker is specifically designed to extort money from its victims.  If a  “ransom” demand is not paid within 96 hours, the users’ files are irrevocably lost.

 When a computer is infected with Cryptolocker, its files are encrypted, and there are only two methods to recover the files:

  1. Recover the files from a backup system, or
  2. Pay a ransom ranging from $300 to $2,100 per computer

When the ransom is paid, the criminals will forward a unique encryption key which can be used to decrypt the files.  However, this key is deleted and not available after 96 hours, which effectively renders encrypted files as permanently lost.

We must emphasize that, once a system is infected with CryptoLocker, there are no other known remediation methods available.  Disk recovery services will not work.  Attempting to “clean” the infection with anti-virus software will not work, and may actually prevent a ransom-purchased encryption key from functioning.  Brute-force decryption is not feasible given the length of the encryption key.  Resetting the computer time to an earlier date will not work.

 

Recommendations to prevent CryptoLocker infections

1.     Instruct users not to open attachments from unexpected e-mails.  The malicious e-mails appear to be customer-support related messages from trusted names such as Fedex, DHL, UPS, etc. or they appear to be related to wire transfers.  These messages are very deceptive and are tricking experienced users that are not usually fooled.

2.    Configure e-mail systems and spam filters to block e-mails containing .zip and .exe attachments.  Note: even if corporate e-mail systems are configured to block these attachments, users can still receive infected e-mail from web-based personal e-mail systems such as Gmail and Hotmail.

3.  Create Software Restriction Policies that block executable programs from running when they are located in specific paths.  For more information, please see these articles from Microsoft.

4.  Avoid mapping network shares to drive letters.  CryptoLocker does not encrypt data on a network through UNC shares.

5.  Confirm your data backups are recoverable.

What to do if you are infected by CryptoLocker

 The following banner is displayed to users when their systems become infected with CryptoLocker

If a system is infected, it is recommended that you:

1.     Immediately disconnect the system from the network.

2.     Turn off the system.

3.     Contact an IT Security Professional.

4.     Do not attempt to clean the system using Antivirus software.  Doing so may prevent you from decrypting the files should you opt to pay the ransom.

If you require immediate assistance to recover or protect your system from CryptoLocker call (949) 428-5000 or e-mail Cryptolocker@alvaka.net