Virus Removal: Initial reaction to the cryptolocker virus

Earlier this year, a new type of virus came onto the scene. Unlike others, however, this new one’s bite was every bit as bad as its bark.

‘Cryptolocker’ as it’s known sniffs out your personal files and wraps them in strong encryption before demanding money.
I’ve collected some details about this new and highly unpleasant threat.

• Firstly, it really encrypts. It can jump across network shares and encrypt anything with write access, and infection isn’t dependent on being a local administrator.
• Secondly, most anti-viruses do not catch it until the damage is done.
• Thirdly, the timer is real and your opportunity to pay them goes away when it lapses.

It’s largely being spread via email attachments claiming to be a dispute notification, though machines previously infected by the Zeus botnet have had the virus pushed to them directly. The virus is totally functional regardless of UAC (User Account Control) or whether the logged in user is a local administrator, and has been reported on WinXP through 7 64-bit.

It will also access mapped network drives that the current user has write access to and encrypt those.

Many antiviruses have been reported as not catching the virus until it’s too late, including MSE, Trend Micro WFBS, Eset, and Kaspersky. They can further complicate matters by reverting registry changes and removing the executables, leaving the files behind without a public or private key. Releasing the files from quarantine does work, as does releasing the registry keys added and downloading another sample of the virus.

What’s notable about this virus, and this is going to lead to a lot of tough decisions, is that paying them to decrypt the files actually does work, so long as their C&C server is up. They withdraw the money from the GreenDot MoneyPak manually and then push a notification for the infected machine to call home for the private key again, which it uses to decrypt. It takes a long time to decrypt, at the rate of roughly 5GB/hr based on forum reports. The virus uses the registry to maintain a list of files and paths, so not moving the files around is vital to decryption if you are paying them.

Also notable is that the timer it gives you to pay them does appear to be legitimate, as multiple users have reported that once the timer ran out, the program uninstalled itself. Reinfecting the machine does not bring a new timer.

Due to the nature of the encryption, brute-forcing a decrypt is essentially impossible for now.

Removal: Removing the virus itself is trivial, but no antivirus product (or any product, for that matter), will be able to decrypt the files until the private key is found.

The big takeaway is that off-line backups are the only real solution (other than paying up) to getting files back.

Forecast: The reports of infections have risen almost exponentially over the last week every single day. This virus is really ugly, really efficient, and really hard to stop until it’s too late.

It’s also very successful in getting people to pay, which funds the creation of a new variant that plugs what few holes have been found.

Prevention: One way to prevent this and many other viruses in a domain environment is to set up software restriction policies (SRPs) to disallow the executing of .exe files from AppData/Roaming. Making shares read-only will mitigate the risk of having sensitive data on the server encrypted.

Beyond that, check your off-line backups!

Click to find out more about our virus removal services across Dublin, Meath and Cavan.