CryptoLocker is one of the most dangerous viruses out there, which can cause significant harm to your business’s important data. If received and activated, it will go through all files on your computer and encrypt them. To regain access to them, the distributor of the virus will request that you pay a fee to have your files unlocked. What makes this virus extremely dangerous is that if you have access to network shares on your workstation, it will not only infect your files, but also the files that you have access to on a connected server.
CryptoLocker is also known as a “silent virus,” as it is generally impossible to know that you’ve installed it until you notice that your files are inaccessible. The virus usually comes in a ZIP file in an e-mail from an infected client, co-worker, advertisement or friend. The e-mail will often use a generic message to get you to open the attached file. If you clicked and opened the ZIP file, you won’t notice that anything is happening, but the virus will immediately begin encrypting your files. The most common way people find out that they have been infected with CryptoLocker is the appearance of a file called “HELP_DECRYPT” in an affected folder. I’ve seen this comes in a notepad file, PNG image, HTML document and Internet shortcut and will appear wherever you have your files stored.
The problem with this virus is that it stores itself in your user profile (C:\Users\[Yourname]\AppData) and registry system, as well as pretending to be another program even when it is not running (Notepad.exe is one I’ve seen the most), making it very difficult to remove.
To remove it from a workstation we first copy the user profile then delete the original one, running a malware scan in Windows Safe Mode afterwards. If the malware removal software is unable to remove the virus, then the next step is to attempt to restore the entire workstation from a back-up, before it was affected by CryptoLocker.
To remove it from a server we first copy the data that is infected to a different location, then we recover the encrypted files from backup. This process can take a while depending on how many files were infected and how large each file is. Here at F12 a server backup is done daily to ensure that the client data is in safe hands in case something like this were to occur.
Hopefully this article will help you avoid becoming infected by CryptoLocker. Stay safe out there and let 2016 be filled with enjoyable memories and not scary ones!
NOC Technician – Hydro