Malwareaware

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 30 October 2013

Summing Up CryptoLocker.

Posted on 06:53 by Unknown
After a month, the news of the CryptoLocker ransomware has finally hit the mainstream media. Leaving me questioning where they have been.

I was one of the first to report on it, and as far as I can tell, the first independent blogger to report on it.

Unfortunately, along with the mainstream coverage of this ransomware comes quite a bit of dangerous misinformation. This blog post will attempt to gather the truth about what we know in order to help those infected.

Infection:

As of now, the infection seems to be spreading through email. In the office, this email may claim to have a new protocol that needs to be looked at. At home, it may claim to be from Fedex or UPS. This email claims that you have a package waiting for you and you need to print out a receipt to claim it.

In either case, the attachment is a zipped up executable that contains the ransomware. You go to unzip it and read the "document" when all of a sudden, CryptoLocker pops up.

At this point, you are now infected. There's no going back from here. Your files are encrypted.


Encryption:

CryptoLocker does not lie when it says it encrypts your files. It encrypts files with RSA 2048 bit encryption. Which is a very safe encryption that has never been broken and likely will not be for at least another 10 years.

This means that you cannot decrypt the files.

Recovery of Files:

If you do pay the ransom, the program does actually decrypt your files. And while I would not advocate paying the ransom, it may be needed if you have exhausted all other alternatives. You know you are just encouraging the writers to keep making ransomware, but your files might be worth more to you then the $300 it demands.

Another way is with a program called Shadow Explorer. This program finds Shadow Copies of your files that are saved at System Restore points.

The bad news is that it only works with Computers running Windows XP with the second service pack installed or higher. With the exception of the home oriented editions of Windows Vista. And Windows 8 does not have it enabled by default.

So, if you run Windows 8, you may want to make a change in case you do get infected.

You can find how to activate File History here:

http://windows.microsoft.com/en-us/windows-8/how-use-file-history

http://windows.microsoft.com/en-us/windows-8/set-drive-file-history

Removal:

Recovering the encrypted files may be the hard part, but removing the actual ransomware is easy. Although you should not do this unless you know you have Shadow Copies of the encrypted files that you can get. For your convenience, the guide below deals with removal including recovering your files.

Step 1: Download Shadow Explorer here: http://www.shadowexplorer.com/downloads.html

Step 2: Run the executable and install Shadow Explorer.

Step 3: Select the disk name and time you wish to restore from. This time should be before the infection took place.

Step 4: Right click on a folder and click export. You will then be asked where you want to export to. Export to a convenient location for you.

Step 5: Repeat step 4 until all folders and files have been restored.

Step 6: Download and install MalwareBytes Anti-Malware from here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button

Step 7: Once you have installed MalwareBytes Anti-Malware, run a full scan. This scan will take some time, most likely over an hour depending on how much you have on your computer. So I suggest you do something else while remaining in close distance to the computer to that you can check on the scan every 15 minutes.

Step 8: Once the scan is finished, you will be alerted that malware was found. Please click OK on this message box to view the infections.

Step 9: If an infection is not checked, leave it alone. These are PUPs and are not harmful.

Step 10: Click on remove selected and allow it to restart your computer when prompted.

Step 11: Your computer should now be free of the CryptoLocker ransomware.

Please note that this removal guide might not work in some cases. If this is the case, you may be forced to reinstall the ransomware via the link given on the desktop wallpaper it sets. Once you have done this, you have no option remaining but to pay the ransom via the following ways:

GreenDot MoneyPak

Bitcoin

Ukash

For info on how to prevent yourself from getting infected with CryptoLocker, please read this blog post: http://www.malwareaware.com/2013/10/cryptolocker-prevention.html

Thank you for reading. Feel free to comment if you have any questions or comments.
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in The CryptoLocker Saga | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • How to remove System Doctor 2014
    There is a new rogue AV making the rounds on the web called System Doctor 2014. For those that have just started reading my blog or for thos...
  • What are Bitcoin Miners?
    For my first post about Bitcoins, and for what I wish to be my last about the subject, we are going to be talking about what Bitcoin miners ...
  • How to keep spies from monitoring you through your computer or your phone.
    Those of you in The United States of America have most likely heard about that whole IRS scandal and the accompanying scandals of wiretappin...
  • Spotlight on Malware: The Gruel Worm.
    It's been around since Windows 2000, but there still is not a way to remove this worm without formatting the hard drive. I speak of the ...
  • I am going to be a billionaire!
    For those of you that have been reading my blog for some time, you know I like to mess with scammers, fake tech support and the like. But th...
  • Use VBScript to pull a joke on your friends.
    Do you want to play a trick on your friends, family, or coworkers? Well this one's for you. You can make a fake piece of malware on your...
  • Spotlight on Malware: MyDoom
    The MyDoom Windows worm, also known as Novarg, and Shimgapi will be the subject of our focus for this post. The MyDoom worm was first discov...
  • CryptoLocker as of 11/3/2013
    If you have read my other posts on this, you know. But for those of you who do not, there is a piece of ransomware that has been making the ...
  • The Big Game: Who's on our side?
    I recently helped a friend of mine remove malware from their computer when she be one mused on how lonely my job must be. "It must be s...
  • Java: No more coffee for you.
    Odds are that every blogger that has a tight focus on computer security has authored a blog post about Java. So why am I wasting your time? ...

Categories

  • Android
  • History Of
  • iOS
  • Java
  • Macs
  • Passwords
  • Removal Guides
  • Spotlight On Malware
  • The CryptoLocker Saga
  • What Does It Mean?
  • What's in a name?
  • Windows

Blog Archive

  • ▼  2013 (151)
    • ►  November (10)
    • ▼  October (5)
      • Summing Up CryptoLocker.
      • CryptoLocker Prevention.
      • How to remove the Cyber Command of New York Ransom...
      • How to remove Antimalware (Rogue)
      • How to remove Security Cleaner Pro (Rogue)
    • ►  September (15)
    • ►  August (22)
    • ►  July (26)
    • ►  June (17)
    • ►  May (25)
    • ►  April (15)
    • ►  March (7)
    • ►  February (6)
    • ►  January (3)
Powered by Blogger.

About Me

Unknown
View my complete profile