Encryption Viruses

In blog posts on our site, I will sometimes use Bold-Underline to indicate text that may need a bit of extra explanation. Hover over the text to see a definiton! -Ross

You’ve almost definitely heard about Cryptolocker. Even if you’re not sure, when it first hit it was all over the news, so you probably at least saw the name in a headline or two. We’ve posted about it on our Facebook page numerous times, since out of the malware we’ve seen so far, it is one of the most nasty, most debilitating infections, both for the home user and for businesses. Let’s go in-depth…

What is it?

Cryptolocker, and other encryption viruses like it, are ransomware viruses – that is, they hold your computer (or in this case, your files) for ransom, asking for money to unlock them. The virus is usually transmitted using a fake email, disguised to look like something legitimate. Examples we’ve seen include: an email from UPS telling you about a supposed missed delivery, an email from LinkedIn with an attached résumé, and an email from the IRS with “important information about your taxes”. All of these have an attachment, usually in the form of a Zip file. Inside the zip file is usually what appears to be a PDF document (or similar document file), but this is where the virus is hidden. Windows, by default, hides the File Extension. However, it doesn’t prevent you (or virus creators) from putting a fake file extension in the name of the file itself. The upshot is that you may think a file is “document.pdf” when in reality, because of the hidden file extension, it is “document.pdf.exe”. Thus, when you double-click on the file to open what you think is a document you need to read, it actually runs a program instead!

Once the virus program is running, it configures the computer to run it on startup (so that if you reboot, the virus still pops up), and starts talking to a Command and Control server on the internet. This server is run by the virus creators, and generates a 2048-bit RSA Key pair which is used to encrypt your files. What files are actually locked depends on the exact version of the virus – for example, most versions we’ve seen do not encrypt Quickbooks data files, but that doesn’t mean they won’t in the future. The virus generally follows the tree structure of your computer, so most of the time every folder will be scanned, including Mapped Drives that are shared from another computer.

Once it’s done encrypting your files, it will either display a window asking for money in order to fix the problem, or create a text file in each encrypted folder saying the same thing. Depending on the version of the virus, it can be anything from $200 to over $2000, and many varieties have a time limit after which you are charged extra to decrypt your files. At the time of this writing, the price is $500 for the CryptoWall variant, and can fluctuate often.

So what can I do about it?

The reason these encryption infections are so nasty is because they’re impossible to fix manually and paying the ransom would be “giving in to the criminals”.

So, what if you’ve already been infected? Unfortunately, there’s only two options from here: restore from backups, or pay the ransom and hope the operators unlock your files. While we’ve seen it work a couple times, we don’t recommend paying the ransom because there is no guarantee that you’ll get your stuff back – plus, you’re just proving to these criminals that their scheme works. Of course, if you’ve got critical information and no backups, that may be your only option.

On the other side, the problem with backups is that you have to have planned ahead and actually taken said backups. While some of you may say “well, yeah, that’s common sense”, the unfortunate truth is that many people don’t realize they should be backing up their important information.

How do I keep myself safe?

  • Be careful what you click on. Malicious email attachments are the most common way to get infected with a Crypto virus. If you’re not expecting an attachment from someone, don’t open it. ESPECIALLY if it’s a zip file and you aren’t darn sure you know what’s inside.
  • Always have one or two (preferably two) up-to-date, cold backup copies of your important data. That way, if you happen to accidentally get infected, you can just restore your backup and get on with your day.

In Conclusion

There’s a lot to take in when it comes to big viruses like this. The bottom line, and the one we’d like to drill in with this post, is: backups, backups, backups. Back up frequently, remove your backup drive when you’re done, and take it somewhere safe. It’s truly the only way to be sure you won’t lose your data if you get hit by an encryption virus.

If you’ve got any questions about what you’ve read, feel free to send an email using the contact form link here on our website, or find your local store page and give us a call. And if you suspect you’ve been hit with the infection, give us a call right away and we’ll be happy to help you out!