Cryptolocker is back – Ransomware beware!

Cryptolocker the planet’s worst ransomware trojan has reappeared in all its ugly forms. Across the world networks and computer files have been encrypted by this trojan before a ransom demand is made to the user or administrator. Some victims who don’t have adequate backup are losing all their files, or having to pay a ransom of thousands to the criminals who propagate this electronic curse.

Cryptolocker is propagated via infected email attachments, and via a botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public key cryptography.  Cryptolocker itself is readily removed, however encrypted files will remain locked unless the key is provided. Worse some who have paid the ransom, have not had the key provided being left with encrypted files and a big bill. It is estimated that around 3% of affected users pay the ransom requested.

Almost a year ago the US Department of Justice announced that the FBI and Interpol had publicly issued an indictment against a Russian hacker and had gained the keys to the malware. However it appears a new version and clones such as CryptoWall and TorrentLocker are back in business,

Security software is designed to detect such threats, however it may not detect Cryptolocker at all, or only after encryption is underway or complete, particularly if a new version unknown to the protective software.

To how do you get Cryptolocker?

Email is the primary entry point for the Cryptolocker Trojan into networks and computers. Cryptolocker typically is propagated as an attachment to a seemingly innocuous e-mail message, which appears to have been sent by a legitimate company. These emails may contain company logos and representations that they are legitimate: examples in Australia and New Zealand include Australia Post, New Zealand Post, The Australian Federal Police, Microsoft, UPS parcel deliveries, and several of the major banks.

The emails tend to offer legitimate services or ask a reasonable request as simple as a payment receipt, deliver document, or in the case of the Australian Federal Police scam asking you to view a speeding fine or photo. Once the attachment is clicked, the ransomware is deployed in your systems and then encrypts files across local hard drives and mapped network drives with the public key, and logs each file encrypted to a registry key. The process only encrypts data files with certain extensions, including Microsoft OfficeOpenDocument, and other documents, pictures, and AutoCAD files.