FTC, FBI Warn Consumers About ‘Cryptolocker,’ A New Breed of Computer Malware
I previously warned you about the FBI Cryptolocker virus in the November 14, 2013 post. I have had a couple of clients who dodged any problems by shutting off their computer as soon as they saw the warning and contacting me. We were able to successfully remove the virus before it was able to do it's damage. It's payload if left alone is to encrypt your Word, Excel, Photos, PowerPoint, videos and PDFs files. The intent of the virus is not to so much spread but require the infected user to pay a ransom (about $300) for a key to unlock your files. The following info is from the FTC.gov websiteCryptolocker is spread mostly through email and “drive-by” downloads. The email might look like a routine message from a legitimate company, like a tracking notice from a shipping company. If you click on the hyperlink in the email, Cryptolocker encrypts everything on your hard drive and in your shared folders. When the job is done, you get a “ransom note” demanding payment via Bitcoin or some other anonymous payment method. The criminals behind this malware say they’ll give you the encryption key if you pay, but they’re hardly trustworthy. And there’s no other way to unlock your files.
http://www.ftc.gov/news-events/press-releases/2014/02/ftc-fbi-warn-consumers-about-cryptolocker-new-breed-computer
Recently I received a 7 a.m. call from a branch office of an Atlanta client who had been infected. I instructed the client on how to update and scan using Malwarebytes and they were able to successfully remove the malicious code. However the damage was done. I received a call later indicating that the user could not open any Excel or Word documents. I remote accessed the infected computer and found that the infection had occurred around Midnight and in the 7 ensuing hours the virus had time to work it's destructive payload and encrypt all of her files. I removed over 800 text files related to the virus and a message file from the Start up folders of the Office products. The text file contained the following instructions,
"Encryption was produced using a unique public key generated for this computer. To decrypt files, you need to obtain the private key."
"The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files."
"In order to decrypt the files, open site 4sfxctgp53imlvzk.onion.to/index.php and follow the instructions."
"If 4sfxctgp53imlvzk.onion.to/index.php is not opening, please follow the steps below: "
1. You must download and install this browser http://www.torproject.org/projects/torbrowser.html.en
"2. After installation, run the browser and enter the address: 4sfxctgp53imlvzk.onion/index.php"
"3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files."
IMPORTANT INFORMATION:
Your Personal CODE: 00000001-E87E0C01
The client had Carbonite backup installed so I opened the program but found that the Carbonite was set to sync new and changed files and since all of her important files had been encrypted and changed Carbonite was backing up the encrypted files. I froze the backup to stop the service. Fortunately Carbonite keeps historical backups but this requires you to contact Carbonite for assistance which was free since she had the pay for service. However it took over 30 hours to restore her files to a date prior to the infection via internet download. Also, any changes or new documents/files that occurred after this backup were lost.
The bottom line is this, if you are not backing up your data you need to find a plan. Sync programs work well but you need to have historical backups as well. If the client had only the latest backup of her data she would have been stuck with a backup of files in a non-usable format.
Fake funeral notice can be deadly — for your computer
How Low will Criminals and Malcontents (ne'er do wells) go to Infect your Computer?
Get this, yesterday I received the following email containing a link:
Suspicious I performed a simple Google search and found out this is a relatively new attempt to infect your computers. This too is on the FTC.gov website.
Be careful people. Take the necessary steps to protect your data and remember when you are on the internet it's just like strolling down the street, criminals are behind every corner.
DForce Performance Workstations
