Threat Alert: Cryptolocker
Cryptolocker Eats Your Files!
A new trojan threat has been spreading through the Internet through various means: malicious emails, infected webpages, and infected file downloads. The damage can be quite extensive, as this trojan, called Cryptolocker, encrypts all your data files – both on your hard drive and on any accessible drive – so that you can no longer access your data unless you pay a “ransom” of $100-300 to an unknown entity.
What Happens to Your Data:
Cryptolocker encrypts all the files it can find that match a list of extensions, covering file types such as Word, Excel, and many more. Additionally, Cryptolocker will encrypt these files on your hard drive and on all external drives to which you have access – whether plugged into your local computer, available on the network, or even a thumb drive in a USB port.
After, Cryptolocker has infected your machine, a banner like the one below may be displayed:
What This Means for Users:
If you see the popup window requesting payment, indicating that you have been infected, your files are already encrypted. Although the trojan says you can pay the “ransom” and retrieve your files, users who have been desperate enough to pay report that they never received a key to recover their files. Immediately disconnect your computer from the Internet or turn it off, and contact your ITS representative. Due to the nature of encryption, there is no way to recover encrypted data, and even paying the ransom will not recover your files.
How to Prevent This from Happening to You:
- •NEVER open an email or attachment from someone that you do not know or trust; confirm with them via phone that the attachment is legitimate.
- •Never open a file ending in “.exe” from anyone.
- •Do not download or open files from third-party websites; instead, always go straight to the developer’s website. For example, don’t get an update for Adobe from any location except adobe.com.
- •Back up your data! Back up your data at least once a day, and then disconnect or remove your backup drive from your computer. If you happen to be a victim of the Cryptolocker virus, your backup drive will be safe as long as it is not connected to your computer. If you need help implementing a backup solution for your system, or if you’re unsure of your backup process, please contact your ITS representative.
How It Works:
CryptoLocker uses what is called a public key encryption to encrypt the files on your hard drive.
The image above, from Loyola University in Chicago, shows how public key encryption works: a public key is used to encrypt the data, and a private, secret key is used to decrypt the data. The trojan uses this entity’s public key to encrypt your files, and only their private, secret key, which they want you to pay for, can decrypt it. The trojan doesn’t lock you out right away – you’re usually given 72 hours to “buy” your data back before the private key is destroyed. However, since the files are already encrypted at this point, it’s too late.