Cryptolocker ransomware: Windows

http://www.computerwor​ld.com …nd_what_to_do_i​f_you_are_

This appears particularly nasty. Does anyone know where it originated? Seems like one of the more serious threats to Windows users since there appears to be no easy way of dealing with it.

Wow. Thanks for the heads up.

Creative... Pay us, or the file gets it.

The only way to deal with it is from your backups, I've read.

In case you are infected, here is a guide on how to remove it: http://privacy-pc.com …e-cryptolocker-virus.html

You will still need to deal with infection, in case shadows copies mention in the article do not work, you may try using some computer forensic tools: http://en.wikipedia.or​g …f_digital_foren​sics_tools

Just got infected last night... most of my stuff is backed but some of my most recent stuff is not... which is horrifying to think about.

wow that is serious. One thing I do, which others may do similar, is keep a desktop computer whihc does not use the internet. It is clean, runs xp, it's super fast and it stores my back up data. When I get a virus on my laptop, which knock on wood is rare these days, I do the usual routine. System restore, if that fails then I pull out my HD and put it into the desktop tower. I run windows vista x64 on my laptop and I run XP x32 on my desktop. I use XP and I access all of my HD information from the desktop. Because Vista is not running I can usually fix any corrupted data or retrieve valuable files with my desktop computer. I have been meaning to "mirror" my HD so that restoration would be even easier, as soon as I setup my new wifi HD this will go into practice.

I must say that my most glorious victory against a virus was one particularly nasty fake FBI virus threat ransom job that tried to take a picture through my webcam and it took over admin privileges, erased my computer from the desktop and taskbar, erased system restore all together, and did some other weird stuff that I could not fix with my desktop by transferring the HD from my laptop. I simply hit control alt delete rapidly until I could click switch user before the fake fbi warning screen reappeared on my screen and I was able to switch users, change privileges, and defeat the virus by repairing system restore and removing the virus from the root directory all under a newly modified user name.

Also I would like to add one more thing. When I got this virus, and others in the past I could tell something was going on with my computer, the internet slowed down, the hard drive started grunting like it was doing an install or writing a file, several times when this occured I would turn off my wifi switch on the front of my laptop. I am a firm believer that this will save you in a pinch.

I'd be interested to know how you got hit. Was it a drive-by download or an email attachment or something else? Computers don't "get infected" without user interactions.

morph2_7 wrote in post #16464764
I'd be interested to know how you got hit. Was it a drive-by download or an email attachment or something else? Computers don't "get infected" without user interactions.

From what I've heard, its usually an email attachment. Something like, "You FedEx packages cannot be delivers. Print out attach form and take to Post Office."

attached: Form.pdf.exe

If they catch these people, they should lock them up for decades.

mike_d wrote in post #16470767
From what I've heard, its usually an email attachment. Something like, "You FedEx packages cannot be delivers. Print out attach form and take to Post Office."

attached: Form.pdf.exe

Correct, it is normally in the form of a "fake" PDF that is actually an executable received through email as an attachment. In fact as far as I know that's the only widely confirmed means of getting this particular nasty.

Removing the virus is trivial for the most part but the data that's been encrypted by it is toast. Pando claims to have a tool that may decrypt data I believe, I'm not sure how unless it somehow intercepts/finds the encryption key used on your system, because otherwise it's impractical to ever decrypt your data using brute force methods.

Make sure your data is backed up, and unless it has versioning make sure that backup isn't going to do a live backup as changes are made because otherwise it will just overwrite your good backup with the newly encrypted data. If you have a service like Crashplan that has a lot of versioning support it can save your butt.

Best thing to do is just be smart about how you deal with attachments you receive, have a good backup system in place and keep your AV up to date if you have one. I don't know how well most AV programs are doing at blocking this one, but every little bit helps.

mike_d wrote in post #16470767
From what I've heard, its usually an email attachment. Something like, "You FedEx packages cannot be delivers. Print out attach form and take to Post Office."

attached: Form.pdf.exe

Colorblinded wrote in post #16470857
Correct, it is normally in the form of a "fake" PDF that is actually an executable received through email as an attachment. In fact as far as I know that's the only widely confirmed means of getting this particular nasty.

Careful... I've seen a non EXE(cutable) attachment delivering the payload. It's a DOC file. The antivirus software that protects my mail server is configured to remove all EXE attachments. One day my mail server AV software fails to detect an infected DOC file (DOC files are of course allowed). It's one of those fake shipping email that asks users to open the DOC file attachment.

A user (at work) opens it. It's a good thing the desktop antivirus intercepts it. I believe the DOC file creates an EXE in the temp folder. That's when the desktop AV interception occurs. Long story short, I took the PC off the network. Format and reinstall the OS. Thankfully no damage is done.

Moral of the story either way is to be careful with your attachments. It's certainly not a new means of spreading infections.

I wish it was that easy. It doesn't matter how many times you tell people to be careful and not to believe everything in their mailbox. Some users are click happy. They click anything they see regardless of the warnings.

A user forwarded a similar fake shipping to another user and asked her to check it. She helps the spammer spread the spam. Aint' that awesome? The mail contains a link to download EXE. Both users click the link. My firewall is set to deny all EXE downloads so it's good.

The user is usually the biggest security risk be it through ignorance or neglect or whatever. People never like to be told "this wouldn't have happened if you had done x, y or z" though.