Submitted by Ken Dwight on
One of the most widespread pieces of malware making the rounds these days is an updated version of a payload that first appeared quite a few years ago. This malware, known as CryptoLocker, is a form of "ransomware," a program that holds the user's data files hostage until that user pays to have those files released. I wrote about this type of malware in my book, Bug-Free Computing: Stop Viruses, Squash Worms, and Smash Trojan Horses, original Copyright 2005. But CryptoLocker is a much more sophisticated variant of this attack.
All of the major anti-virus software vendors are aware of CryptoLocker, and many have written about it. There has also been a lot of misinformation and bad advice on the subject from various sources, even some that would normally be considered reputable. Rather than attempt to reinvent this wheel here, I will offer my general observations and recommendations, followed by a link to a blog post that I believe does an excellent job of presenting the facts about CryptoLocker.
When CryptoLocker infects a computer, it finds all of the data files on that machine and encrypts them so that the user can no longer read those files. In most cases files on network drives and other attached devices such as external hard drives and USB thumb drives are also encrypted. The encryption is done in such a way that the only way the files can be decrypted, and thus made readable again by the user, is to buy the encryption key from the producer of the malware. When this infection first appeared the cost of that key was $100 U.S. Most recent variants have increased that cost to $300.
Removing the malware itself is not difficult, but here is where the difficult decision comes into play. Once the malware is removed, there is no possibility of decrypting those files; they will be lost forever. On the other hand, most reports to date indicate that payment of the "ransom" does, in fact, allow the files to be decrypted and returned to their original condition. By most accounts this is a fairly time-consuming process, but it seems to produce the desired results.
It's difficult (and distasteful) to recommend paying this ransom, for several reasons. The obvious reason is my unwillingness to reward the criminals for this behavior. Further, there is no guarantee that payment of the ransom will, in fact, decrypt the files. And there is no recourse if the solution doesn't work. For that matter, there is nothing to prevent them from staging another attack on that same computer at a future date. And it's highly likely that they maintain (and sell) a list of those individuals and organizations who have paid the ransom, making them targets of additional demands in the future.
On the other hand, I realize that your data files are probably worth much more than $300 to you, and understand that you may consider this to be a small price to pay for allowing your computer to become infected by this malware. Only you can decide what is in your long-term best interest in this regard.
A far better solution is to have a good backup plan in place, to automatically back up all of your data files on a regular basis (at least daily), so that you can recover from this type of attack without having to support the criminal enterprises that produce and spread this malware. It should go without saying that the normal security precautions are even more important than ever. It is critical that you apply all Windows Updates as soon as possible after they are released, use a reputable, business-class Internet Security suite and keep it updated, and keep ancillary programs such as Java, Adobe Reader, Flash, and Shockwave current as well.
The usual precautions about "safe computing" certainly apply here too. Some CryptoLocker infections are known to have originated from infected attachments in e-mail messages, mostly .zip files. So be careful about opening any attachments, even those that appear to come from individuals or organizations you know and trust. It's also prudent to have your anti-virus program scan your computer every day, to increase the likelihood of finding an infection that eluded the defenses of your Internet Security software.
The British anti-virus software firm Sophos published a blog post with more details of this malware. The post is fairly concise but complete, and surprisingly readable. If you want more details of CryptoLocker, you may read that blog post here: http://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=d16559e000-naked%252Bsecurity&utm_term=0_31623bb782-d16559e000-418503305.
For your sake I hope this is an academic exercise for you, and not an infection you are actually facing. CryptoLocker is that rare case where, once infected, even The Virus Doctor can't save you!