What was the cause? It was a reasonably new Ransonware program called CryptoLocker and it's pretty devastating. Here's what we know:
CryptoLocker arrives either an attachment to an e-mail or as a download from an infected web site. In most reported instances it requires the user to click on the attachment or reply yes to a download prompt from the infected web site to deploy.
It will rapidly begin encrypting every MS Office (Word, Excel, PowerPoint etc) file, PDF file, audio files and graphic files it can see on the network. The encryption is very high level and most technicians report little success in unencrypting the files. In the instance we encountered today, all of the affected files and folders had their modified date time stamp set to the time of the infection.
In some instances, the program changes the PC desktop background to a red splash screen identifying itself. It then displays a warning screen about the encryption and gives the user 72 hours to send $300 for the decryption key complete with a count-down clock to add emphasis to the fact there is a deadline to pay their ransom.
What do you do if you find yourself infected?
First and foremost, if you're on a network, immediately disconnect the PC from the network by logging off or removing your network cable (or disable your wireless card) to minimize the potential damage.
Here's how to remove CryptoLocker:
Restart your computer in SAFE Mode. Choose the “Safe Mode with Networking” option.
When Windows starts with the word SAFE in each corner of your desktop, launch Windows Task Manager by pressing keys Ctrl+Alt+Del, search for CRYPTOLOCKER processes and right-click to end them.
Open the Control Panel in the Start menu and search for Folder Options. When you’re in the Folder Options window, click on the View tab, check Show hidden files and folders and uncheck Hide protected operating system files and then press OK.
Click on the “Start” menu again and then click on the “Search programs and files” box, Search for and delete these files created by CryptoLocker:
- %AllUsersProfile%\random.exe
- %AppData%\Roaming\Microsoft\Windows\Templates\random.exe
- %Temp%\random.exe
Open the Registry Editor by opening the RUN option in the Start Menu and typing REGEDIT in the Run box and click “OK” to proceed. When Registry Editor is open, search and get rid of the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM HARACTERS].exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Random
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” =Random
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Random.exe
You can then reboot the computer normally to check whether the virus is completely removed or not. You'll know if it's gone if the CryptoLocker warning window doesn't return but we recommend running your anti-virus program update and a full scan as well as a running program like MalwareBytes as an additional precaution. You should then be able to reconnect your PC to the server.
Be aware that your Desktop will probably still have the modified background but you can easily restore your desktop using the Display option in Control Panel.
If there can be any good news about this ransonware, it's that it currently doesn't appear to be able to cross-propagate across the network from the infected PC so it's does seems to stay put at the initial point of infection.
The bad news is that it's very unlikely that you'll be able to recover or decrypt any files that this program encrypted. Hopefully, you've kept a recent backup copy of all of your critical files and can restore those that were damaged. If not, you're probably out of luck getting those files restored.
If you haven't protected your PC and server data yet, why not give ACT a call for a free 30 day trial of DataVault Files And Folders. It's the easiest way to keep a secure backup for all of your critical business files. You can arrange for your free trial by calling us at (847) 639-7000.
No comments:
Post a Comment