What is CryptoLocker Ransomware?

cryptolocker1

What is CryptoLocker?

CryptoLocker is a new form of computer virus called “ransom-ware” that encrypts or “locks” files on a user’s computer and then attempts to extort money from the user in return for “unlocking” access to the users’ files.

What does it do?

CryptoLocker searches through a computer (and any attached networks or external storage devices) looking for specific common file types such as .doc, .docx, .xls, .xlsx, .pst, .jpg, etc…

CryptoLocker then encrypts the files, rendering the files inaccessible to the user. The virus creates a pop-up screen that prompts the user to pay a ransom of $300.00 within 72 hours to decrypt the files. If the user does not pay within 72 hours, the files will be encrypted forever.*

How would I get infected?

CryptoLocker is typically spread through email attachments and website drive-by-downloads. A
“drive-by-download” occurs when websites infected with malware try to install the virus when you visit the site by exploiting a security flaw in either your browser software or Java software. Another method of transmission occurs when spoof emails that appear to be from companies such as UPS, FedEx, and DHL ask the user to open an attachment related to the information in the email. Once the user opens the attachment the virus is installed on the computer.

How can I avoid becoming infected?

  • Do not open any email attachments. If the email attachment is from someone you know, confirm they sent the attachment before opening.
  • Install anti-virus software on your computer, make sure it is running and keep the anti-virus software updated.
  • Stay up-to-date on software patches.
  • If you do not need Java software, it is a good idea to uninstall it.

How can I limit the damage of an infection?

Backups are the most important part of preventing total data loss with a CryptoLocker infection. An offline backup such as an external hard drive will be able to restore earlier versions of your files if they become encrypted. It is important to keep your external drive unplugged from the computer when you are not actively backing up files as the virus will attempt to encrypt files on any connected storage device.

What do I do if I am infected?

  • If you receive the CryptoLocker ransom screen disconnect your computer from the network to stop the spread of the virus.
  • Do not pay the ransom. Paying the ransom only rewards the criminals and provides no incentive to cease their activities. It may seem like a small amount of money but there is no guarantee that if you pay you will be able to decrypt your data.
  • Contact the Service Desk 617-373-4357. The Service Desk will assist in removing the virus from your computer and try to help in recovering your files.*

*Unfortunately at this time no one has been able to break the encryption rendering the files permanently unreadable. We will update this document with any developments on recovering data from the encrypted file.

What is Northeastern doing to prevent this infection?

  • All email to and from faculty and staff email accounts are scanned for viruses. We actively block .exe attachments and zip archives that contain .exe files.
  • All NUnet imaged computers are protected with Symantec Endpoint Protection anti-virus software.
  • HuskyMail, a product of Gmail, blocks all .exe attachments and zip archives containing .exe files.
  • All students are able to download Symantec anti-virus for free from the myNEU portal.
  • Contact the Service Desk 617-373-4357 for guidance and assistance for choosing and using an offline backup solution.

More Information

Sophos: CryptoLocker ransomware – see hot it works, learn about prevention, cleanup and recovery

Bleeping Computer: CryptoLocker Ransomware Information Guide and FAQ

This entry was posted in Java, Malware, Anti-Virus, Phishing, Scams, Safe Computing. Bookmark the permalink. Both comments and trackbacks are currently closed.