Cryptolocker – The Most Dangerous Virus in 10 Years

UPDATE: See the bottom of the article for information on a new decryption tool.

The Most Dangerous Virus in 10 Years.”  That is a very ominous title.  But thinking back, the last time we saw a virus this destructive was in 2000 (the I Love You virus), so it actually may be a bit of an understatement.  That virus spread by email and deleted Word document and image files.  This one, the Cryptolocker Virus, has more ways to spread, and while it doesn’t delete anything, it encrypts your files and holds them for ransom.

How do people get infected?
Cryptolocker first surfaced in September 2013 and spread so quickly that by November it was infecting more than 12,000 computers per week, according to  BitDefender labs.  The most common method of infection is via attachments in emails, but it has been known to infect people with browser vulnerabilities, Java vulnerabilities, or through other viruses that then download this one.

What does it do?
Once on your computer the virus will generate an encryption code.  With this code, or “key,” Cryptolocker will encrypt all Word documents it finds on your computer, as well as Excel documents, PDF files, and many others.  It also encrypts backup files and Shadow Copy files, in case you were thinking of fixing this by restoring from backup.  Then it sends the encryption key to the people who wrote the virus and places a big warning message on your screen to let you know you have been hacked, and instructions on how to get your data back.  Typically there is a limited amount of time to do this before the files are locked forever.

What can I do once I’m infected?
Without the encryption key, the only way to decrypt your files is with a supercomputer and a lot of time (years).  You have two options at this point:

  1. Restore from backup.  See the section below about how to do good backups.  Once you have this virus, you will need to clean your computer of it.  Most antivirus programs will be able to find it.  Click here for a free program that will find and clean it for you.  Once your computer is clean, then you can restore your lost files from backup.
  2. Pay the ransom.  The initial ransom can be up to $500.  After the time expires, they sometimes offer you a last chance, but by this time the price has jumped to $8000-$9000.  While we usually would recommend against this option because you don’t know if you can trust them to give the data back, this seems to be a viable option.  By one estimate, infected users that needed their data back paid the virus authors nearly $400,000 in the first 100 days after its release.  The FBI even recommend a Massachusetts police department to pay the ransom, because without proper backups there is simply nothing else to be done.

What can I do to protect myself?
Like any disaster preparation, you can do things to help prevent trouble from happening, and you can prepare for recovering once it does strike.

  1. The first thing to do is to get a good antivirus program.  We are currently recommending Kaspersky to our clients because they rank very well AV comparison tests year after year, but most modern antivirus programs will keep you safe.  Click here for a list of antivirus products available, and how they compare to each other.
  2. Be careful of email attachments.  Email attachments is the primary way this virus spreads.  Run your email through a spam and virus filter.  If you are not expecting an attachment from someone, don’t open it.  If you see the attachment with two file extensions, such as “filename.pdf.exe”, it is almost certainly a virus.  If you see an attachment with a .exe or .vbs extension, don’t open it.  (An extension is the final 3 letters of the file name, after the period.  Some computers are configured to hide these extensions, in which case you may only see one of the two extensions.)
  3. Take good backups.  Back up all of your Documents folder, Desktop, and any other folders where you store data.  Since this virus looks for backup files, your backups should be saved to a place other than on your computer.  An external USB drive is a good place for them (as long as it is not constantly plugged into the computer, or else it will be infected as well).  Cloud backups are great for keeping your data safe.  The virus may take a couple of days to fully lock down your computer.  This means if you overwrite your backups every day with new backups, you may be backing up infected files.  The best solution is to have a backup system that runs frequently and stores multiple revisions of the same file.

The good news is this virus is not very infectious.  It takes a while to fully infect a computer, and it is more concerned with encrypting your files than spreading to other computers.  It is also fairly simple to clean with standard virus removal techniques.  If you have antivirus and a solid backup solution in place, you made good progress in protecting yourself.

The bad news is that many people think their virus protection is active and up to date when it isn’t.  And they think their backups are set up running correctly, but they aren’t.  Check the computers in your home and office and make sure they are following the steps laid out in this article.  And if you want to know more about backups and what your options are, check back next month for our backup article.

Have you had an experience with Cryptolocker?  Or do you have any questions we didn’t answer in the article?  We would love to hear about it in our comments section below.

UPDATE – Aug 9, 2014: FireEye and Fox-IT security companies have teamed up and developed a decryption tool for Cryptolocker!  You upload your email address and a sample encrypted file (without any personal information) , and they will email you back a decryption key and a link to a recovery program.  I have not used the tool yet, but the “word on the street” is that it works quite well.  The decryption tool is located at https://www.decryptcryptolocker.com (August, 2017: link has been since removed, as it is no longer working).