Meet the ransomware trojan that has IT professionals worried

This week, for the first time I came into contact with the CryptoLocker trojan. A virus that encrypts all of your documents and holds you to ransom to recover them.

This threat is very real and it’s the worst I’ve ever seen. It’s a game changer.

I first encountered the problem when documents on a network share were “corrupted”, Excel files became unopenable. It was very strange, unlike anything I’d heard of.

At first I suspected the hard disk or memory was at fault. It wasn’t. It was much worse.

I found that the file does open only to show a corrupted jumble of characters, the first line looks like this:

!crypted!F5396107DE5443E3487226FBEABFA295<bÎÎózíðºÄ…

It looks like some kind of hash code.

Was this the workings of a virus? This is unlike any virus I’ve ever seen, one that encrypts documents on mapped network drives, surely not.

After a bit of research, I found that it is indeed a virus. A particularly bad ransom virus at that.

I found the infected machine, as it was the only one with “crypted” local files. The virus was identified as the Ramdo/Redyms virus (acupx217.dll, EPUHelp.exe) and was removed.

I believe these were the catalyst for the deployment of a CrytoLocker type module.

Following the advice from bleepingcomputer.com with regards to the CrytoLocker virus, I looked at restoring the crypted/corrupted files.

The very next day, I found that The Guardian had released an article on this very subject, entitled PC users: beware of CryptoLocker malware.

I decided it was time to send a reminder email out to the end users and make them aware of this very real threat that’s out there in the wild, this is what I sent:

TL;DR: DO NOT OPEN EMAIL ATTACHMENTS YOU ARE UNSURE ABOUT; Always have a backup of your documents.

Hi all,

This is a warning about a new type of virus that many IT professionals are describing as a game changer.

There is a really bad virus being spread via links in e-mail that take the user to a bad site or attachments in an e-mail that contain the bad software. Its name is CryptoLocker.

If the link is clicked on or the attachment is opened the software starts up and goes on to encrypt, that is make unavailable, EVERY document the user has access to.

Once your machine is infected there is only one way to get out of the mess once the infected system is found and quarantined:

– Recover the files from a backup.

Simple rule of thumb: NEVER click on a link in an e-mail and avoid opening attachments if at all possible (Especially ZIP archives). And, if a link must be clicked on in an e-mail hover the mouse cursor over the link to see where it leads to. If it looks suspicious please ask!

As always, please be very careful and aware that bad people out there are always on the hunt for more victims. No business large or small is exempt from these activities.

For more information, please feel free to view the news coverage:

http://www.theguardian.com/money/2014/feb/27/pc-users-beware-cryptolocker-malware-royal-mail

If you have the opportunity, please see the Watch CryptoLocker in action video.

Thank you.

If it wasn’t for the backups, we wouldn’t have had any chance of recovering the data without paying the ransom and even then we couldn’t be sure they would actually decrypt the files.

As I said, this threat is very real, now is the time to act and ensure you have sufficient backups in place. Do not ignore this warning, there is no exception.

If you’re a systems administrator, there’s some very useful help over on reddit:

• CryptoLocker Recap: A new guide to the bleepingest virus of 2013.

The solution for domain systems administrators centres around deploying a Software Restriction Policy that blocks exe files from running in the APPDATA directory.