What is a CryptoLocker?

Have you ever wondered what a cryptolocker ransomware is? I personally did ask myself many times and now I got the understanding and wanted to share these info especially that nowadays we know more about viruses and we are all pretty confident that having an anti-virus is essential for every computer to be safe from the damages that any virus can do to you data, but unfortunately this is not always true because you always need some extra precaution to complete the circle. As technology evolved these malicious programs also followed the trend and the damage that can be done become more and more weighty.

First version of crypto locker Trojan horse made its first impression in 2003 in UK, a year after that, in 2004, based on PC Advisor, security analysts at Kaspersky were able to crack the code by exploiting a flaw in the code the author made. Unfortunately few years later a new version appeared and is stronger than the previous and hard to decrypt and honestly we should all be concerned. With all the secretive and dependency of the information we now handle I would think 10 times before I click on any executable file and I am not kidding.

How does Cryptolocker infiltrate computers?

Like any other virus, cryptolocker also called “Ransomware” needs an incentive to get to your system and in most cases it uses attachment in Email; so when a user receives and Email with a zipped attachment that includes an executable file (.exe), ignoring the consequences, the user open the attachment and double clicks on the executable allowing the virus to safely install itself, then sending information like, malware version, system language, ID and a group ID to the author. In return, it receives a 2048 bit RSA encryption public key. Once the key is saved in the registry (HKCUSoftwareCryptoLocker) then it starts scanning the machine for hosted files (*.doc, *.docs, *,xls, *.xlsx, *.pdf, *.mdb, *.accdb, etc.) and others in the network that you have access to.

Each file it encrypt results in a registry value under (HKCUSoftwareCryptoLockerfiles) and any attempt of deleting one or all these keys from the registry will just worsen the situation as you will lose the encryption key and the file will permanently remain inaccessible.

In infected computers a popup window will appear asking for a ransom of $300.00 or $300.00 paid by Bitcoins or MoneyPak, in order to get a private key to decrypt the encrypted files, and the time left before the private key gets destroyed normally it is 72 hours.

So is there anything we can do to prevent this?

Once the files are encrypted the ONLY way to decrypt them is to have the private key. However, there are some ways to prevent this from happening or at least reduce the damage:

1. Make sure you have system restore points configured on each computer
2. Make sure you backup your data, it is better to lose some data than losing it all.
3. Make sure all you computers do run an Anti-virus and make sure it is regularly updated
4. Enable software restrictions to block executables from running when located in AppData folder where it is normally installed. See the below Microsoft KBs
   http://support.microsoft.com/kb/310791
   http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx
5. As an administrator, you should Instruct/teach your users to not open any *.exe file and the danger they might face.

I hope this cleared some of your questions that you have about this Trojan horse and feel free to leave a comment and if you are worried about email filtering and really want to protect your environment from ransomware visit us and download a free 30 days evaluation and you will be amazed about the product and the support you will get.