New Crypto-Locker virus - RANSOMWARE

[Donny Hinson]

Just heard about this one yesterday! Word has it that some of the anti-virus companies are even advising infected business users to go ahead and pay to unlock their computers, as an infection encrypts all your files and locks you out of all of your programs - and there is no way to completely recover your data...unless you "pay the ransom".

Most of the sites on the 'net say it's the worst virus ever written for Windows.

What's the scoop?

[Wiz Feinberg]

As I type this many of the Command and Control servers for the Crypto-Locker Trojan are being sinkholed. This is good news if you are infected afterward, as your PC cannot receive the encryption instructions, but no help if your PC is already locked and encrypted.

The encryption is pretty hefty and has yet to be broken, but that will be done sometime soon.

Your best defense against Crypto-Locker is to make regular backups of your important files and, if possible, the entire boot disk (aka: full system images, including the MBR).

I make Acronis True Image backups of my websites every night. My Documents and Settings are backed up every Saturday and my System Images saved every Sunday.

In addition to the above, I have Windows 7 save a complete system image once a month.

I have created an Acronis recovery CD, for use with their saved images. Windows 7 has a built in feature on F8 startup to restore its saved images.

Additionally, I save a copy of the most recent Acronis full image to an external USB drive, which is switched off after the image has been saved. This protects it against network aware malware that searches out attached storage devices.

Finally, I operate with reduced user privileges and maintain a paid subscription to Trend Micro Internet Security and to Malwarebytes' Anti-Malware.

Note: If you, like me, use both Trend Micro and Malwarebytes, you will be forced to uninstall MBAM and later reinstall it after TMIS receives a program version update. Your license code survives the deinstallations.

[Jim Priebe]

I've already had two hits of this to "fix" at work. The Cryptolocker is usually in an attached file (with an email) that gets opened by the user.
In one case it encrypted everything on the users USB drive (all her University work - with no backup - she is off on stress leave now). Fortunately it left the workstation files untouched (phew !).
In the other case is required a total reload of the computer but the good news is it didn't spread on to the domain network.
As I work in the medical area (mostly) I see it's results there and it is a soft target area (I've posted before that a lot of Java gets used in this area which is a constant worry). An eye specialist business got totally wiped by the crypto - $9 g's to fix it.
Please don't mess with/open this baby - always ask before opening attachments unless you absolutely recognise them. Your AV is of no use in this case at this point of time.

[Wiz Feinberg]

I have recently begun running Malwarebytes' Anti_Exploit, a Windows only security application who's sole purpose is to protect against exploit attacks. The program description and download link can be found here.

I am following its development on the Malwarebytes' forum dealing with the Anti-Exploit program.

It is hoped that this freeware security program may be able to stop the Crypto-Locker and other malware like it from getting installed into your operating systems.

[Dave Potter]

I have recently begun running Malwarebytes' Anti_Exploit, a Windows only security application who's sole purpose is to protect against exploit attacks. The program description and download link can be found here.

Thanks for the pointer, Wiz. I just installed it and it's running.

Sad we have to go to such lengths to protect ourselves from the bottom-feeders in society. But, as the admonishment goes, "When in quicksand, struggle like hell".

[Wiz Feinberg]

With the addition of MBAE, I am now running a trifecta of active security programs: Trend Micro Internet Security, MBAM and MBAE. Normally, this is discouraged due to each one scanning active files and processes as they are launched or saved. In today's cyber-world, one may not be enough.

Note, I am running these programs on a home built Windows 7 PC with 4 gigs of matched RAM. It has the horsepower to run this much security and still respond quickly to every day activities. Doomed XP computers will probably not be able to do this.

I am considering changing to an SSD as my boot drive, on my desktop and laptop. These drives are virtually instantaneous, offsetting any extra load imposed by software.

[Dave Potter]

Note, I am running these programs on a home built Windows 7 PC with 4 gigs of matched RAM. It has the horsepower to run this much security and still respond quickly to every day activities....I am considering changing to an SSD as my boot drive, on my desktop and laptop. These drives are virtually instantaneous, offsetting any extra load imposed by software.

The SSD drives are amazing. I have two of them in my desktop PC, which also includes an Intel Core i7 processor (4 cores) and 8GB RAM, so it's pretty quick. I have a Samsung 500GB SSD as my boot drive, and everything, including bootup, happens lots faster. And with no moving parts in these drives to wear out, and reasonable prices, what's not to like?

[Wiz Feinberg]

Crypto-Locker is currently being distributed via email spam spoofing WhatsApp Voicemails Waiting messages. There is either an attachment, or direct link to the malware installer, hidden inside a zipfile. The contents is a .exe file pretending to be the list of voicemails.

For information on avoiding this malware, read Brian Krebs' article about Avoiding the Crypto-Locker Ransomeware.