The following is a guest post from BFS reader, Nancy Jones. She made a mid-life career change into computer technology and system security since she loves all the stuff about it that most people hate. She also created Grown Up Tech to help everyone learn how to get the most out of their computers and the internet without needing a degree in computer science.
There’s a nasty piece of malware out there called Cryptolocker. You won’t know you’re infected with it until you get the notice that your files are encrypted and if you don’t pay 2 Bitcoin (the value of this can change—read on to find out why) by a certain date, the decryption key will be destroyed, causing you to lose all your files forever.
At this time only Windows operating systems are vulnerable, with this exception: If you are running a Windows installation in Parallels on a Mac, with a shared home folder, you may be vulnerable to losing access to the home folder, which is basically where you live on a mac. So here’s what you need to know to grab a handle on what this is and why it’s so nasty. Most importantly, how not to get it. And if you do, how to survive it.
A Very Basic Understanding of Encryption:
Encryption is the process that makes text unreadable to someone who’s not in on the secret. It scrambles the text to such an extent that without the descrambler you’ll never be able to read it. It’s what the “lock” icon means when you go to your bank’s website or when you are shopping online and you go to check out.
Most encryption on the web is done with two “keys”. One is a public key and the other is a private key, and they work together. No other combination of keys will work with either of those two. When you go to your bank’s website, you see the place where you log in with a username and password. When you hit the “login” button, you use the bank’s public key, which is stored on their server, to encrypt your login information so that if someone intercepts the traffic, all they’ll see is gobbledygook. It won’t make any sense. AND it can’t be used to log in, because if someone input what they intercepted, THAT would also get encrypted and end up being even more gobbledygooked. Without that private key at the other end, it IS just gobbledygook. So at the other end, the bank uses their private key, which is stored securely on their server, to decrypt your login credentials.
If you are at a website and see a lock, you’ll also see that the “http” is now “https” which means that a Secure Sockets Layer session has been started, which is another level of encryption added to the session. The original encryption session that was started with the public key/private key transmission (which is called “asymmetric”) now initiates a symmetric session that uses the same key between parties. Nothing that passes between the parties can be read by anyone other than those two parties. What you need to really understand is this: it works because both parties have the key. (Trust me, when I was learning all this, it made my head spin.)
What Cryptolocker Does:
Cryptolocker uses the originator’s (the bad guys) public key to encrypt your personal files. It grabs not only the files on your active hard drive, but if you work with an external hard drive attached to your computer as a standard practice, it will grab those too as well as any mapped network drives. That can make this a devastating infection for small businesses.
Don’t even think about cracking the encryption, either. The keys used in this are the best you can get, the strongest available. The payment demanded is any one of three untraceable methods: Bitcoin, MoneyPak card, or Ukash card. That lessens the chances of these guys getting caught, unless one of them gets very sloppy, and then rats the others out.
If you don’t pay the ransom, the decryption key is destroyed. Remember the part above, where I told you that the public key and the private key work together? Well, they ONLY work together. If the private key is destroyed, you will have zero chance of decrypting your files.
Here’s something else you need to know: if you are using a backup site in the cloud, as soon as you think you might be infected, unplug from the internet and call the human customer service rep at the backup service and let them know right away that you’ve been infected with Cryptolocker. One cloud backup service has officially stated that this information will put a high priority on your call, and it’s reasonable that others are treating it the same way. By this time, they will already have a plan formulated for dealing with Cryptolocker, but if you let a backup take place after encryption has started, you will not be able to use your backup service to restore your computer.
Prevention is the Best Defense:
All indications at this point are that the infections are started with a phishing email. Phishing is just like fishing—someone’s putting some bait out there hoping someone will bite. These guys are not amateurs. The emails will look like the real thing. Some documented cases so far include emails that look like Amazon, BestBuy, WalMart, and other shopping sites. Don’t even think that all links in all other email messages from all other sources must be safe just because I didn’t name any others. You should treat all emails containing links with a strong degree of suspicion.
It is getting to the point where is just is not safe to click on a link in an email anymore.
Other possible infection sources include attachments in emails (if you weren’t expecting it, don’t click on it!). If your machine has been previously compromised, the attackers could just remotely run a program that automatically loads and runs the encryption software.
Documentation on the attachment version includes emails that look like they came from well-known companies like UPS, Fed-Ex, DHL, etc. And with shopping online being so popular, we can expect that this will pickup, and with Christmas gift returns and all, don’t expect it to go away quickly. The attachments included in the email will have names that look like they end with .pdf, .doc, .xls, BUT are actually executables, meaning that when you click on them, a program will run. For some reason, Windows, by default, does not display the file extensions, and you generally know what kind of file something is by the icon it displays.
It’s better not to take that chance, you can follow this link (http://support.microsoft.com/kb/865219) for instructions on how to display all file extensions, so that you can actually see if something is not a .pdf, .doc, or .xls but is actually a .pdf.exe, or a .doc.exe, or a .xls.exe. Those are bad guys. Do not open them. (By the way, this is a ploy used by a lot of other trojans as well, disguising an executable file as a non-executable file; taking the step of displaying file extensions can keep you from clicking on them even in the absence of the Cryptolocker threat.)
And above all, BACKUP, BACKUP, BACKUP!!!!! You should NEVER have only one copy of your critical data. Ever. Ever! Got that? Because if you have a current backup, you’re prepared for….
Surviving the Infection You Couldn’t Stop in Time:
Go ahead and decide, right now, if you are willing to pay the ransom. If so, set aside $300 at a minimum, and be prepared for that to go up. But remember that we are talking about people who already don’t care that they don’t have a right to do stuff to your computer. Counting on them to keep their word may not be wise.
If you don’t intend to reward criminals for bad behavior (yes, I am being clear which path I recommend), stop all your other computer activity TODAY and make a set of recovery disks. That is a disk or a set of disks that contains your computer’s operating system and installed programs as it looks at the moment the disks are made, and all the files. This is a good practice anyway, especially if your machine didn’t come with operating system installation media. Most don’t nowadays.
You may (or may not—it just depends on factors we haven’t figured out yet) have to activate Windows again after installation, and that may require a phone call. I’ve had to do this numerous times, and it’s not a difficult process. The phone instructions are very easy to follow, and when you are asked how many machines the software is installed on, the correct answer is “zero.” Remember that. Once the operating system is restored, move the most recent backups of your files back into place and you’re ready to go.
Forewarned is forearmed. Now you know there’s bad stuff out there. More importantly, you know how not to get tricked, and you know how to recover if you do get tricked. Don’t be embarrassed if you get fooled, these guys are highly skilled at what they do. They count on you being trusting, and they count on you being too busy to take proper preventive measures. The time you spend in prevention and precaution will save you a lot of recovery time.
There is just a bit of good news post-infection. A security researcher whom I trust completely has confirmed that upon payment of the ransom, the decryption key was provided as agreed, and following decryption the computer was back to normal. This nasty software encrypts only FILES, not the whole disk, not that that’s any comfort, except that the decryption process is far less time consuming for this than for a whole-disk decryption process.
Lastly, more about the payment price—the demand is in Bitcoin, and the value of Bitcoin is extremely volatile right now. When I first started outlining this post, two Bitcoin was about $300. A year ago it was $13/coin. As of 1/16/14 it’s about $800 each. So “your mileage may vary.” Best to do the backups and not play their game.
Have you heard of Cryptolocker? Have you ever had to go through this?