Over the past few weeks an untraceable band of hackers has flooded the internet with a particularly nasty virus known as CryptoLocker. The virus is contracted by users who open infected email attachments that appear to be from banks, credit card companies, PAYCHEX, ADP, FEDEX, UPS..etc. Please be aware that these companies NEVER send attachments to emails, so if you see one, you should treat it as suspicious and delete it. The same goes for any other emails with attachments that you are not specifically expecting.
What makes this virus particularly worrisome is:
1. Hackers are continuously developing new strains to outpace anti-virus programs ability to keep up with them. This means that despite the best protection, infected emails may still get through.
2. The virus will immediately encrypt all files on your laptop, and then will go out to your mapped drives and encrypt everything you have access to on the network. In order to decrypt the files you will have to pay a ransom ranging from $300 to $2,000, and even paying does not guarantee success because these hackers move from server to server.
Although our customer’s networks and computers are very well protected, there are still ways for these to get through, particularly if you mix business and personal use on your computer. Users who check their personal email using Gmail, Yahoo, Hotmail..etc. can easily download an infected attachment, thereby bypassing our perimeter security protection. Also if you use your laptop on other networks (including your home network), much of the protection is defeated.
If despite all our best efforts, you do get infected (or suspect you might be), you will see this warning:
If you see this at any time, immediately shut down your computer – and by shut down I mean literally unplug it from the wall, or hold the power button in for 10 seconds until it shuts off. Then immediately call me or the Integrated IT Help Desk. In this case don’t be concerned about shutting down properly – your computer will need a complete reinstall anyway.
Notwithstanding the above, this is to assure you that all appropriate protections are currently in place on your network. These include:
1. Firewall protection through Sonicwall Comprehensive Gateway Protection Plan – As long as default settings are in place, the firewall will not allow transmission of these email attachments.
2. SpamSoap Email Gateway – again, SpamSoap protects against transmission of these files.
3. Group Policy Objects – we have implemented an additional Group Policy Object (GPO) on customer domains. The GPO prevents the running of any executable from the users %appdata% directory. Note that this may prevent other programs from running (to date we have only identified Spotify as affected – and why is that on your computer anyway?).
4. MalwareBytes Pro – this anti-malware program is the only known client-based product that will block this infection. If you have Malware Bytes free version on your computer, it will only identify the infection during a scan, but will not block it from executing. MalwareBytes Pro (for $25) is very good protection against this and other threats particularly you use your laptop on other networks.
An important note – removal of the infection does NOT remove the encryption from your files. The only way to decrypt those files is by paying the ransom using anonymous web currency like BitCoins – and even then you are not assured of success as these hackers move from host to host and the server that originally delivered the payload may no longer be in use. The only post-infection protection is a current backup which has been run before the time of infection.