The Attack On CryptoLocker – Brenten Mah

Background History

CryptoLocker is one of the most dangerous viruses out there, which can cause significant harm to your business’s important data. If received and activated, it will go through all files on your computer and encrypt them. To regain access to them, the distributor of the virus will request that you pay a fee to have your files unlocked. What makes this virus extremely dangerous is that if you have access to network shares on your workstation, it will not only infect your files, but also the files that you have access to on a connected server.

Silent Installation

CryptoLocker is also known as a “silent virus,” as it is generally impossible to know that you’ve installed it until you notice that your files are inaccessible. The virus usually comes in a ZIP file in an e-mail from an infected client, co-worker, advertisement or friend. The e-mail will often use a generic message to get you to open the attached file. If you clicked and opened the ZIP file, you won’t notice that anything is happening, but the virus will immediately begin encrypting your files. The most common way people find out that they have been infected with CryptoLocker is the appearance of a file called “HELP_DECRYPT” in an affected folder. I’ve seen this comes in a notepad file, PNG image, HTML document and Internet shortcut and will appear wherever you have your files stored.

Recovery Process

The problem with this virus is that it stores itself in your user profile (C:\Users\[Yourname]\AppData) and registry system, as well as pretending to be another program even when it is not running (Notepad.exe is one I’ve seen the most), making it very difficult to remove.

To remove it from a workstation we first copy the user profile then delete the original one, running a malware scan in Windows Safe Mode afterwards. If the malware removal software is unable to remove the virus, then the next step is to attempt to restore the entire workstation from a back-up, before it was affected by CryptoLocker.

To remove it from a server we first copy the data that is infected to a different location, then we recover the encrypted files from backup. This process can take a while depending on how many files were infected and how large each file is. Here at F12 a server backup is done daily to ensure that the client data is in safe hands in case something like this were to occur.

In a Nutshell…

  • Never open any emails or attachments unless you are expecting one. If you receive an e-mail with an attachment from someone you know, it is recommended that you contact them directly to confirm that they sent the e-mail.
  • Delete any unknown ZIP file attachment emails from senders you do not know from your “Inbox”, then delete it from the “Deleted Items” folder
  • Always have up-to-date backups of your system!
  • If you have CryptoLocker, never click on any of the HELP_DECRYPT files, never call any number that shows up randomly on your screen, and never pay the fee to get your files decrypted. You should instead call your IT Department ASAP to discuss your options!
  • Ensure that you have a reputable Anti-Virus and Malware Scanner on your workstation that runs at least twice a month. It will not guarantee that you’ll be 100% safe but it will lower the risk of any potential viruses.

Hopefully this article will help you avoid becoming infected by CryptoLocker. Stay safe out there and let 2016 be filled with enjoyable memories and not scary ones!


Brenten Mah
NOC Technician – Hydro


Leave a Reply

Your email address will not be published. Required fields are marked *