Virus Alert – CryptoLocker malware infection

TNSC was made aware of a potentially damaging Malware threat called CryptoLocker that is spread primarily through e-mail attachments. CryptoLocker has started targeting businesses actively.

Note: A CryptoLocker Malware infection requires a member of your staff to actively click on an e-mail attachment. The infection will not activate just by opening an e-mail.

Why CryptoLocker is dangerous to your business

CryptoLocker is different than most Malware because it can render files on a computer and potentially any server that computer has access to unusable. It does this by silently encrypting certain types of files, documents, and databases with RSA/AES encryption, the same encryption used to protect banking information and other highly confidential data. Once encrypted, programs like Microsoft Word and Adobe Reader can no longer read the files, and because of the strength of these encryption types the encryption cannot be undone without the encryption key.

CryptoLocker then presents the computer’s user with a popup offering to undo the encryption for a sum of $300 if paid in the next 96 hours. Even if the Malware is removed, the files will remain encrypted and unusable. While paying this ransom does appear to remove the encryption at this time, it is not recommended. Once infected, the only way to recover from CryptoLocker without paying the ransom is to restore files from backups.

Symptoms to watch out for

• Most or all of the files on your computer or on folders on your server will not open with one of the following errors:
• A compatibility pack needs to be downloaded to understand the file.
• The file is not in the correct format or is corrupt.
• A popup appears with a ransom notice stating, “Your personal files are encrypted!”

CryptoLocker Prevention

There are preventative measures that TNSC or your onsite IT personnel can take to try to block CryptoLocker, but later versions of this Malware are already attempting to evade these measures. CryptoLocker also escapes most Antivirus detection due to the fact that it requires a computer’s user to click on an attachment and that it is constantly changing.

These preventative measures work by blocking programs from running in certain temporary file areas on your computer.
Please be warned that these preventative measures may cause some legitimate programs to stop functioning, but can be easily removed in the event that they do.

The best method of preventing your computers from becoming infected with CryptoLocker is to educate your staff.
Below are a few CryptoLocker specific security recommendations that you can e-mail to your staff:

• CryptoLocker is spread mainly through e-mail attachments in e-mails that are altered to look like they are coming from common business vendors and resources like: Fedex, UPS, ADP, and even government agencies. Be cautious about opening attachments in unsolicited e-mails from these sources, and if necessary, put in a call or e-mail to the source in question to confirm that the e-mail is safe.

• If you are not expecting an e-mail from the sender or do not recognize the sender, be cautious about opening attachments or clicking on links in the e-mail.
• If you are unsure about an e-mail, involve TNSC or onsite IT personnel before opening any attachments or clicking any links contained within.
• Try to avoid browsing internet sites that are not necessary for your day to day work as these could contain hacked advertisements and links.

Links to informational articles on CryptoLocker
https://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
https://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Links to prevention strategies for in house IT personnel
https://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#prevent