Most Malware is relatively harmless, causing minor headaches that you can clean up with a simple boot to safe-mode and a quick scan or two from a well updated commercial anti-malware program, but not all of them. Antivirus firm Sophos, has reached out after increasing reports have come in of a new Ransomware that’s encrypting people’s files and demanding money in order to unlock them.
Known as Cryptolocker, or Troj/Ransom-ACP in the Sophos software, this nasty little program is said to work on Windows XP through to 8, on all versions. No word on whether a Mac or Linux version is out there yet. It gets into your machine through email attachments or from an “upgrade” to you’re already infected machine. Once it’s weaselled its way in, CryptoLocker hides in the Documents and Settings folder, adds itself to the startup registry and starts trying to connect to a series of random looking domains. It keeps doing so until it manages to successfully connect and when it does, it uploads a file to said server with some information on your machine; this is then used to create your private encryption key.
The private key is what you would use to decrypt encrypted files, but that stays on the server. What gets sent back, is the public key, which the malware then uses to encrypt as many files as possible based on a long list of types, including pictures, documents and spreadsheets. This search occurs across workgroups and drives, so even networked data may be vulnerable to an infection.
Once the encryption is complete, a “warning” message pops up, letting you know that your files have been turned to gibberish and unless you pay $300 within the next 100 hours, the private key that could help you, is destroyed.
It’s at this point that Sophos has some bad news for those infected: there is no way currently known that can decrypt your files. It also recommends that you don’t pay for the private key to be returned, as there is no guarantee that it will be and even if it was, there’s nothing stopping those responsible from extorting you again down the line.
At least we can poke fun at the English of those responsible though, as Sophos points out, the ransom page reads:
“The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that,nobody and never will be able to restore files.”
So what’s a nervous net user to do? Keep your antivirus and antimalware programs up to date, take note and action if you notice any odd internet activity and be very careful opening email attachments, but most of all: back up your files. If you have anything important that you wouldn’t want to live without, back it up somewhere remote and make sure it’s a recent one too. That way even if you get hit hard, the worst that happens if you have to format and download it all again.
Kitguru Says: This is a nasty one. Stay safe people as there doesn’t seem to be much recourse if you’re caught. Backup, backup, backup.