Defending Against Cryptolocker

Defense Against Cryptolocker | Blog | TechOnsite

What would you do in a situation where someone was holding all of your data hostage unless you paid their demanded fee? It seems like a far-fetched idea that someone could get into your computer, make your data inaccessible and then request that you send them money. Unfortunately, this is a very possible situation to land in with ransomware, and more specifically, the Cryptolocker virus.

Cryptolocker is a form a ransomware that in a way, holds your data hostage. This is accomplished by first infecting your computer. This is achieved by the victim opening an emailed zip file which contains an EXE file disguised as a PDF. The Trojan then saves itself to a folder in the user’s profile, adds a key to the registry to ensure it runs on startup, and then begins two processes; one main process that begins the file encryption, the other attempts to ensure the main process isn’t stopped. The files stored on any local or network drives on the computer are then encrypted. The only person who then has access to these files is the creator/sender of the virus who has the RSA public key. The only way to retrieve your affected files is to pay the ransom and get the key.

Cryptolocker was first seen in 2013 where it began spreading through infected email attachments. At the time, the source of the virus came from a botnet, which is essentially a collection of internet connected computers working together to perform repetitive tasks. In May of 2014, the source of the virus was found during Operation Tovar, which was the collaboration of law enforcement agencies across the world to take down the Gameover ZeuS botnet. During the operation, the public keys for all the infected computers were found and then used to build an online tool for recovering encrypted files without paying the fee.

Sadly, this Trojan is not quite locked away in the history books. Due to the immense success of Cryptolocker, many copies of the virus emerged. Today, whenever someone gets the Cryptolocker virus, they are actually referring to a copy of the original Gameover ZeuS spawned virus.

Even after all this time, there is very little you can do once you have been infected with Cryptolocker virus. Virus protection programs can detect the Trojan before it infects the computer, but it is very possible for the virus to get through without detection. If you see that your computer has been infected with the virus, immediately disconnect the device from the network. This will prevent any network drives from being infected and ensure any cloud storage isn’t overwritten with the infected data. At this point you’ll just have to accept that you have been infected and make your choice on whether to pay the ransom or not. There are many documented cases of people gaining the public key once they pay the ransom. There are also many cases where individuals paid the fee and never received a key. So unless you want to be at the will of the criminals, I’d recommend you remove the virus and cut your losses.

The only sure way of guaranteeing you don’t lose any data is to perform regular backups. Windows also has a service called Volume Shadow Copy that can be helpful in restoring your files to a previous version when the data wasn’t encrypted.

While undoubtedly devastating, the Cryptolocker virus can easily be defeated by a quick virus removal and consistent backups.

The Latest in TechInsights

Cybersecurity Awareness Month | TechOnsite | Newsletter Blog

Cybersecurity Awareness Month

October is Cybersecurity Awareness Month Cybersecurity Awareness Month is a global initiative launched in 2004 that educates businesses and individuals

Share:

Scroll to Top