Tuesday, 15 October 2013

CryptoLocker Virus - Ransomware

It's been making a fair few headlines - the latest virus which encrypts all your data on your PC. I've had first hand experience with it as one my clients managed to contract it from an email attachment.

What does it do?
It installs itself in your user/documents and settings folder and makes a reg key to run itself on start up: 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

When the application is started, it goes through your PC and encrypts files with extensions such as:

doc, dox, wps, xls, xlsx, ppt, pptx, rtf, dng, jpg etc

Once encrypted it wants you to pay to get the data back.

What should I do if I get it?
Firstly, if you log on as another user you can remove it easily. The reg key is only in current user, so log in as a different user find it and remove it. 

Data wise there isn't much you can do other than restore the data from a backup. That seems to be the main consensus right now

Warning Network Administrators
The virus DOES encrypt files on shares such as mapped drives so be sure that users only have access to the data that should have! 

Also, make sure your backups really are working :)

Does Anything Detect it?
I tried to remove it with the ESET rogue application removal tool, Microsoft Malicious software removal tool and GFI Vipre - none of them even noticed it as being present. Just manually remove it - it's not difficult to find.

How Can I ensure I don't get it
Most of these things are getting on to peoples systems because of email attachments. Sure it says its from Fedex or HMRC - but is it really? No, it's not. It very rarely is. Just don't open them!

Closing Thoughts
As pieces of malware go, this is something else. Not only does it lock you out of all your local files but it could potentially lock a company out of all their office files causing mayhem.

No comments:

Post a Comment