Crypto Locker Malware

In the recent weeks, there has been an outbreak of a new malware (virus) variant called ‘Crypto Locker’. The damage potential for this malware variant is extremely high so we are trying to raise awareness with all our customers to prevent infections and potential data loss.

HOW THE MALWARE COMES IN

The virus comes in and is spread primarily via email, however a small percentage of cases are coming in through other means. What we have been seeing the most is emails pretending to be from your payroll provider or bank (Paychex, Intuit, ADP, Paypal, Bank of America, etc) and they contain a .ZIP attachment. The verbage of the email varies, but will generally say something to grab your attention and make you want to open the attachment. Once you open the ZIP file, there is a document inside that has an ICON that looks like a PDF file, but it is really the virus and has an .EXE extension. People open the file thinking it’s a PDF and then it’s too late.

WHAT DOES IT DO

If infected, it silently begins crawling through the files in your My Documents, My Pictures, My Videos folders, as well as ALL YOUR MAPPED NETWORK SERVER DRIVES and begins encrypting the files. We have even seen it reach across to users’ Dropbox, Google drive and Skydrive files so even cloud/offsite files are not outside the boundaries of this infection. Once it either completes the encryption of all the files in these locations OR gets interrupted (network disconnect, reboot, etc), it will popup up a screen informing you that your files have been encrypted and demanding a ransom of $300 to decrypt the files. There will also be a countdown timer that you have to pay the ransom or it will be too late. IMPORTANT: There is NO WAY TO DECRYPT the files without paying the ransom. The nature of encryption requires a private key that without it, you cannot reverse the process.

WHAT TO DO IF YOU GET INFECTED

If you accidentally click on an attachment that you think might be infected OR you see a windows on your screen that references ‘Crypto Locker’ with a countdown timer or any other Malware, please disconnect your computer from the network and contact The Logic Group IMMEDIATELY. The sooner we know of the infection, the less downtime for the other users of the network drives will experience and the faster we can begin restoring files. As mentioned above, because there is no way to unencrypt the files without paying the ransom, restoring from backup is the only viable remedy. And since it has the potential to encrypt hundreds of thousands of files before anyone is even aware, the restoration time can be daunting and there will inevitably be some data loss.