In our society today we should always be asking ourselves…. How do I get rid of malware? For right now, your question might be…
What can I do to help stop Cryptolocker?
These are both excellent questions in my humble opinion. How to get rid of malware is definitely a hot topic these days. If you listen to any of the news online and offline at the moment in the Information Security space, you know that the Cryptolocker strand of Ransomware is probably one of the most dangerous pieces of malicious code that the Information Technology sector has seen in a while.
I personally have not seen one as destructive as this one since I got hit by the Michelangelo Virus back in the mid 90’s when I played a game of Wolfenstein that was run from a floppy disk (yes, this was “back in the day”) and the diskette was infected with the virus. After I inserted the disk, it blew away the boot sector from my computer and all my files were as they did not exist. This was my very first experience with viruses. It was devastating at the time.
What Does Cryptolocker Ransomware Do?
The Cryptolocker Ransomware is similar in some ways. If you are not familiar with Cryptolocker, let me give you a little information about it and what it does to your computer and data. Here is the scenario. A user clicks on a phishing email that supposedly contains an attachment relating to a shipment (FedEx, UPS, DHS, etc.) that he/she is supposedly receiving. If the user clicks on the attachment, they are infected.
It can also enter your computer through an exploit related to an older and unsecure version of Java that is installed on your machine. You can go here to get the latest version of Java. Please please please make sure that your Java is updated on your computer.
Cryptolocker can install without administrator credentials. This is very scary in and of itself. Once it installs on your computer, it begins to look for any Microsoft Office data files (documents, spreadsheets, photos, videos, etc.) along with any database files on your system and starts to encrypt them without your knowledge. It also encrypts the files on any attached USB drives, external hard drives, network shares and even some cloud storage. Talk about frightening!
What is Cryptolocker According To Wikipedia
CryptoLocker is Trojan horse malware which surfaced in late 2013. A form of ransomware targeting computers running Windows, a CryptoLocker attack may come from various sources; one such is disguised as a legitimate email attachment. When activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers. The malware then displays a message which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid voucher) is made by a stated deadline, and says that the private key will be deleted and unavailable for recovery if the deadline passes. Source
And Then The Ransom..
You will more than likely not know you are infected until all the files are encrypted. It then pops up a message on your screen saying that all your personal files are encrypted! Then the ransom comes into play. It then gives you 3 days to pay $300.00 to the attackers or your files will be permanently encrypted with no way to retrieve them and your files are unusable. Your only recourse at this point would be to recover from a clean backup.
Currently, anti-virus software does not seem to mitigate this virus. Some anti-virus software vendors claim to take care of this attack prior to the infection taking place but it seems that they are letting you know up front to the fact that the attackers are constantly changing their tactics and their software may not prevent the infection.
Image and video source: http://blog.malwarebytes.org/
How To Avoid the Cryptolocker Ransomware
- You need to be logged in as an administrator to open the Local Security Policy Editor.
- The Local Security Policy will only be available in the Professional, Ultimate, and Enterpise editions of Windows 7.
- The Local Security Policy is only available in the Pro and Enterpise editions of In Windows RT, 8, and 8.1.
So, what can we do to try and help prevent this from happening when we accidentally click on one of their malicious links:
- Click on the Start button
- Click on Control Panel
- Click on Administrative Tools
- Click on Local Security Policy
- Right click on Software Restriction Policies in the list and click Add New
- You will now see Additional Rules underneath Software Restriction Policies
- Right click on Additional Rules and click on New Path Rule
- Enter the following information:
Path: %AppData%\*.exe Security Level: Disallowed Description: Don’t allow executables from AppData
- Click Ok
- Now do a second one for the subfolders: (Right click on Additional Rules and click New Path Rule
Path: %AppData%\*\*.exe Security Level: Disallowed Description: Don’t allow executables from AppData
- Click OK
- Do the same thing for the following: (Right click on Additional Rules and click New Path Rule
- Path: %Temp%\Rar*\*.exe Security Level: Disallowed Description: Block executables run from archive attachments opened with WinRAR.Path: %Temp%\7z*\*.exe Security Level: Disallowed Description: Block executables run from archive attachments opened with 7zip.Path: %Temp%\wz*\*.exe Security Level: Disallowed Description: Block executables run from archive attachments opened with WinZip.Path: %Temp%\*.zip\*.exe Security Level: Disallowed Description: Block executables run from archive attachments opened using Windows built-in Zip support.
- You must RESTART your computer for these to take effect.
A disclaimer: This is not a 100% guarantee that this will prevent Cryptolocker from infecting your machine. This should however cut the possibility a great deal. Who is to say what the attackers may try next.
Remove Cryptolocker Ransomware With Malwarebytes
This video shows how to remove Cryptolocker Ransomware with Malwarebytes. Please note that this will not recover your encrypted files. But Malwarebytes has tools to prevent this attack so this is a definite case of prevention is better than cure.
Please be very certain of what emails and attachments you are opening. Do not open any email or attachments unless you’re 100% certain of the sender.
Stay safe out there in cyber space!
Article from US-CERT – HERE
Article from CNBC – HERE