After a month, the news of the CryptoLocker ransomware has finally hit the mainstream media. Leaving me questioning where they have been.
I was one of the first to report on it, and as far as I can tell, the first independent blogger to report on it.
Unfortunately, along with the mainstream coverage of this ransomware comes quite a bit of dangerous misinformation. This blog post will attempt to gather the truth about what we know in order to help those infected.
Infection:
As of now, the infection seems to be spreading through email. In the office, this email may claim to have a new protocol that needs to be looked at. At home, it may claim to be from Fedex or UPS. This email claims that you have a package waiting for you and you need to print out a receipt to claim it.
In either case, the attachment is a zipped up executable that contains the ransomware. You go to unzip it and read the "document" when all of a sudden, CryptoLocker pops up.
At this point, you are now infected. There's no going back from here. Your files are encrypted.
Encryption:
CryptoLocker does not lie when it says it encrypts your files. It encrypts files with RSA 2048 bit encryption. Which is a very safe encryption that has never been broken and likely will not be for at least another 10 years.
This means that you cannot decrypt the files.
Recovery of Files:
If you do pay the ransom, the program does actually decrypt your files. And while I would not advocate paying the ransom, it may be needed if you have exhausted all other alternatives. You know you are just encouraging the writers to keep making ransomware, but your files might be worth more to you then the $300 it demands.
Another way is with a program called Shadow Explorer. This program finds Shadow Copies of your files that are saved at System Restore points.
The bad news is that it only works with Computers running Windows XP with the second service pack installed or higher. With the exception of the home oriented editions of Windows Vista. And Windows 8 does not have it enabled by default.
So, if you run Windows 8, you may want to make a change in case you do get infected.
You can find how to activate File History here:
http://windows.microsoft.com/en-us/windows-8/how-use-file-history
http://windows.microsoft.com/en-us/windows-8/set-drive-file-history
Removal:
Recovering the encrypted files may be the hard part, but removing the actual ransomware is easy. Although you should not do this unless you know you have Shadow Copies of the encrypted files that you can get. For your convenience, the guide below deals with removal including recovering your files.
Step 1: Download Shadow Explorer here: http://www.shadowexplorer.com/downloads.html
Step 2: Run the executable and install Shadow Explorer.
Step 3: Select the disk name and time you wish to restore from. This time should be before the infection took place.
Step 4: Right click on a folder and click export. You will then be asked where you want to export to. Export to a convenient location for you.
Step 5: Repeat step 4 until all folders and files have been restored.
Step 6: Download and install MalwareBytes Anti-Malware from here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button
Step 7: Once you have installed MalwareBytes Anti-Malware, run a full scan. This scan will take some time, most likely over an hour depending on how much you have on your computer. So I suggest you do something else while remaining in close distance to the computer to that you can check on the scan every 15 minutes.
Step 8: Once the scan is finished, you will be alerted that malware was found. Please click OK on this message box to view the infections.
Step 9: If an infection is not checked, leave it alone. These are PUPs and are not harmful.
Step 10: Click on remove selected and allow it to restart your computer when prompted.
Step 11: Your computer should now be free of the CryptoLocker ransomware.
Please note that this removal guide might not work in some cases. If this is the case, you may be forced to reinstall the ransomware via the link given on the desktop wallpaper it sets. Once you have done this, you have no option remaining but to pay the ransom via the following ways:
GreenDot MoneyPak
Bitcoin
Ukash
For info on how to prevent yourself from getting infected with CryptoLocker, please read this blog post: http://www.malwareaware.com/2013/10/cryptolocker-prevention.html
Thank you for reading. Feel free to comment if you have any questions or comments.
I was one of the first to report on it, and as far as I can tell, the first independent blogger to report on it.
Unfortunately, along with the mainstream coverage of this ransomware comes quite a bit of dangerous misinformation. This blog post will attempt to gather the truth about what we know in order to help those infected.
Infection:
As of now, the infection seems to be spreading through email. In the office, this email may claim to have a new protocol that needs to be looked at. At home, it may claim to be from Fedex or UPS. This email claims that you have a package waiting for you and you need to print out a receipt to claim it.
In either case, the attachment is a zipped up executable that contains the ransomware. You go to unzip it and read the "document" when all of a sudden, CryptoLocker pops up.
At this point, you are now infected. There's no going back from here. Your files are encrypted.
Encryption:
CryptoLocker does not lie when it says it encrypts your files. It encrypts files with RSA 2048 bit encryption. Which is a very safe encryption that has never been broken and likely will not be for at least another 10 years.
This means that you cannot decrypt the files.
Recovery of Files:
If you do pay the ransom, the program does actually decrypt your files. And while I would not advocate paying the ransom, it may be needed if you have exhausted all other alternatives. You know you are just encouraging the writers to keep making ransomware, but your files might be worth more to you then the $300 it demands.
Another way is with a program called Shadow Explorer. This program finds Shadow Copies of your files that are saved at System Restore points.
The bad news is that it only works with Computers running Windows XP with the second service pack installed or higher. With the exception of the home oriented editions of Windows Vista. And Windows 8 does not have it enabled by default.
So, if you run Windows 8, you may want to make a change in case you do get infected.
You can find how to activate File History here:
http://windows.microsoft.com/en-us/windows-8/how-use-file-history
http://windows.microsoft.com/en-us/windows-8/set-drive-file-history
Removal:
Recovering the encrypted files may be the hard part, but removing the actual ransomware is easy. Although you should not do this unless you know you have Shadow Copies of the encrypted files that you can get. For your convenience, the guide below deals with removal including recovering your files.
Step 1: Download Shadow Explorer here: http://www.shadowexplorer.com/downloads.html
Step 2: Run the executable and install Shadow Explorer.
Step 3: Select the disk name and time you wish to restore from. This time should be before the infection took place.
Step 4: Right click on a folder and click export. You will then be asked where you want to export to. Export to a convenient location for you.
Step 5: Repeat step 4 until all folders and files have been restored.
Step 6: Download and install MalwareBytes Anti-Malware from here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button
Step 7: Once you have installed MalwareBytes Anti-Malware, run a full scan. This scan will take some time, most likely over an hour depending on how much you have on your computer. So I suggest you do something else while remaining in close distance to the computer to that you can check on the scan every 15 minutes.
Step 8: Once the scan is finished, you will be alerted that malware was found. Please click OK on this message box to view the infections.
Step 9: If an infection is not checked, leave it alone. These are PUPs and are not harmful.
Step 10: Click on remove selected and allow it to restart your computer when prompted.
Step 11: Your computer should now be free of the CryptoLocker ransomware.
Please note that this removal guide might not work in some cases. If this is the case, you may be forced to reinstall the ransomware via the link given on the desktop wallpaper it sets. Once you have done this, you have no option remaining but to pay the ransom via the following ways:
GreenDot MoneyPak
Bitcoin
Ukash
For info on how to prevent yourself from getting infected with CryptoLocker, please read this blog post: http://www.malwareaware.com/2013/10/cryptolocker-prevention.html
Thank you for reading. Feel free to comment if you have any questions or comments.