Three weeks ago I received an email from a close relative, forwarded on several times, warning about a terrible virus that would destroy your computer. Instinctively I thought it was a hoax, but I emailed the sender who turned out to be an IT engineer and the threat was legit.
From his email:
Yes, it’s a serious concern – devastating payload and high rate of infection. Possibly the most ‘evil’ virus I’ve seen in 23 years of IT.
The virus was named recently as the CryptoLocker virus. When an unwitting user opens an infected email the virus looks for documents, data files for accounting software, photos and applications on the computer and encrypts the files so that they’re impossible to open.
A pop-up window with a 100-hour countdown begins and you’re given details how to pay the ransom, which typically ranges between $100 and $700.
If the money is paid before the timer is up, a key is supplied to decrypt the files. If payment is not made, the key is destroyed and those files are lost forever, according to a security software blog.
Early signs suggest that this will be one of the big viruses that sweep across the world every couple of years. CryptoLocker is undetected by several brand-name anti-virus programs. Variants encrypt not just the files on your computer but mapped network drives including backups stored on external hard drives. And the virus is smart – it targets file types it knows are valuable, such as RAR disk images, EXE files for launching applications, JPG photo files and MYOB data files.
What does CryptoLocker look like?
Sydney based IT services company IT and C has been warning its clients for several weeks about CryptoLocker and has helped home users and businesses recover from the attack.
CryptoLocker often targets accounts departments by sending to accounts@xxx.com email accounts with a ZIP attachment. The attachment name has varied each time, but has so far been named in a way that would suggest it is a legitimate email for an accounts role, eg. “tax_invoice380.zip”, said Josh Leisk of IT and C in an email sent on October 12.
“The virus inside that zip file has so far at least partially evaded 5 different antivirus products over the last few days, including all of the Tier-1 products,” he said.
Other reports say that the virus arrives as an infected voicemail message attached to an email.
“So far in the (past) three days, we’ve had to restore entire servers/workstations for six clients from backups (I’m still in the process of restoring some now),” Leisk wrote.
“We’ve also had one sad instance where the server backups have been encrypted/damaged as well and another two individuals/home businesses that have not kept proper backups and lost nearly *every* document,” he added.
I spoke with IT and C support engineer Varant Kalloghlian today and confirmed that the company was still dealing with multiple infections. Clients that had working backups lost at least a day’s work as their systems were restored.
Unfortunately one home user lost everything because CryptoLocker had travelled from the desktop to the external hard drive.
How do you beat CryptoLocker?
The only foolproof way of getting around CryptoLocker is to have rotating backups that aren’t connected to your machine. If your attached backup is infected then you can pick the last most recent backup and restore that instead. The cloud options make it easier than plugging and unplugging external hard drives but you have to pick your services carefully. If you just use Google Apps, for example, CryptoLocker can encrypt your Google Drive on your desktop which will then sync to the cloud, encrypting that copy too.
Businesses need to also add a backup service for Google Apps such as Spanning or Backupify. These will let you recover an earlier, unencrypted version of Google Drive.
Dropbox is also underprotected. Although it has a function to recover files, it will only do it for each individual file. If you have 20,000 files it gets a little tedious.
A local backup program called ShadowProtect takes 15 minute snapshots of your machine and syncs them to a cloud server. No variants of CryptoLocker have encrypted ShadowProtect files to date.
It’s far safer to use an online email service such as Google Apps (Gmail) or Microsoft Office 365 (Exchange Online) to stop the virus before it reaches your computers. Companies that provide online email services such as Google and Microsoft have millions of emails moving in and out of their cloud data centres and can more easily track an email-borne virus and stop it from infecting users. Gmail will typically flag an email as suspicious or even remove an offending file if it’s identical to known malware.
The same goes for accounting software. It’s impossible to infect the data file for Xero or Saasu because they are sitting behind heavily protected data centres in the cloud. CryptoLocker has been programmed to look for data files of desktop accounting software, including those by MYOB, Kalloghlian claimed.
The most worrying aspect of CryptoLocker is that a current backup is the only way to restore your files without paying the ransom. But given that the virus can also encrypt backups on external drives could cause a lot of problems.
IT and C gave this advice to users with files stored on locally their computers:
Image credit: News.com.au