Monday, Dec. 23rd 2013

CryptoLocker – The biggest malware threat to your computer’s sensitive information


        In a world full of computers, viruses are a major threat. These malicious programs can cause a wide variety of problems for you and your network, ranging from simply being annoying to completely erasing entire hard drives. One particular type of virus categorized as “Ransomware” is designed to encrypt a wide assortment of file types, including Word, Excel, PowerPoint, Publisher, PDF, and JPEG files, and make them inaccessible to you until you pay the creator of the virus a determined sum.

        An extremely dangerous virus in this category is called Cryptolocker,, and it has infected thousands of computers worldwide in the two months since its release last September. It’s mainly spread through e-mail, masking itself as an attachment to an official looking document.  It could take many forms—a notification from a bank, a letter from the government, or a tracking notification from Federal Express or UPS, just to name a few. Whatever the disguise, one thing remains the same: The attached file you download is actually the virus, ready to run its program as soon as it gets onto your computer. Always be wary of any unsolicited emails containing attachments, especially those from unknown senders. Verify the email’s legitimacy before opening a file if it’s something you didn’t request or don’t recognize.


        After CryptoLocker gains access to a computer, it goes through a specific order of operations.

        1. CryptoLocker installs itself into your Documents and Settings folder, using a randomly generated name, and adds itself to the list of programs in your registry that Windows loads automatically every time you logon.

        2. It produces a lengthy list of random-looking server names in the domains .biz,, .com, .info, .net, .org and .ru.

        3. It tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds.

        4. Once it establishes a connection with a server, it uploads a small file that you can think of as your “CryptoLocker ID.”

        5. The connected server generates a public-private key pair for your “CryptoLocker ID” and directs the public key part back to your computer.

        6. The virus uses this public key to encrypt all of the files it can find that match 70+ extensions, covering file types such as images, documents, and spreadsheets. Cryptolocker employs public-key cryptography using strong RSA 2048 encryption. Once files are encrypted, without the private key held on the attacker’s server, the victim will not be able to decrypt the files. Documents will not open correctly, stating that the file extension is incorrect, and will appear to contain meaningless gibberish when opened.

        7. CryptoLocker then pops us a “pay page” (pictured below), that demands payment via Bitcoin or MoneyPak and installs a countdown clock on the victim’s desktop that ticks backward from 72 hours.  The price is usually about $300-$500, and recently the coders responsible for Cryptolocker have added a “late payment option” that allows you to still pay for the private key after the deadline but for around 10 times the price.



        In a year in which much of the cryptography that is used to protect our files and communication has been found to be broken, backdoored, or at least failing to offer the guaranteed security we expect, CryptoLocker is a frustrating exception: no one has found a weakness in it that would allow the files to be decrypted without the private key. Barring extremely unlikely mathematical breakthroughs, RSA-2048 is unbreakable.

        So what can you do? Anti-virus programs will detect the malware ( reports that they detect Cryptolocker infections as Trojan.ransom). However, because of the manner in which this virus operates, it is currently nearly impossible to detect until after it has done its damage. As a matter of fact, removing the virus with security software will get rid of the countdown timer and the instructions displayed above. Doing so makes it impossible to pay the ransom even if you wanted to, unless you purposely re-infect yourself with the virus. Recent versions of Cryptolocker have added an image that will be set as your desktop wallpaper that addresses that very circumstance, with instructions and a link to download the virus. Therefore prevention is of the utmost importance. Make sure all important files are backed up properly and regularly. Backup might require a different setup from one that defends against hardware failure: CryptoLocker will not hesitate to encrypt files found on external hard drives, in locally mounted cloud storage, or on anything connected to your server.

        Be assured, all information processed by Copies FYI is protected. Copies FYI creates backups of all of your important information and stores them securely off-site and offline. We are strictly HIPAA compliant, and our security policy states that “Information housed on computers or other similar equipment is of a sensitive, confidential, or proprietary nature.” Only authorized individuals have access, and we are liable if any information isn’t properly protected, maintained, and confidential. The integrity of the system is of the utmost importance. With our service you can rest easy knowing that should the worst happen, all of your important information is safe, secure, and ready to be implemented back into your system.

        And always remember, whether CryptoLocker is still in circulation or not: never open attachments in emails you weren’t expecting, even if they appear to come from someone you know.

Posted in General | No Comments »

Leave a Reply