Recently there has been a dangerous new virus going around which poses significant risk to both personal and business computers alike. Cryptolocker, as it is commonly known, is a new virus variant which seeks to encrypt all useful files on a computer and then hold the user for ransom to unlock them. This virus preys upon users who click or preview an attachment in an email; typically disguised as a bill of lading from a shipping company. Once the attachment is opened or previewed, it will utilized a vulnerability in older versions of java to execute and encrypt not only the entire contents of the offending computer, but all files over a network which that computer has access to. The virus is difficult to detect and is sophisticated enough to evade capture by even modern anti-virus solutions. Worse yet, if you are infected, removal of the virus removes the encryption key needed to unlock your files, rendering all of your data completely useless.
Once a machine is infected, anything with the following file extensions will be encrypted (you will notice these are just about all useful files):
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
Recovery from such an attack is limited to 2 options. Pay the ransom (a dangerous idea by basically dealing with criminals) or restore from a backup. This emphasizes the importance of maintaining incremental backups on a regular basis. Even more insidious, unless the backups are themselves encrypted (a common feature available in business class backup solutions) or the backup system is separated from view of users on the network, then the backups themselves risk being encrypted.
Prevention, as most risks in the virus landscape, involves layers of preventative measures. The most important is awareness and common sense when handling email attachments. Only open attachments which you are clearly expecting to receive from an individual, and even better, contact the individual who sent the attachment to verify they sent one. Also, turn off any preview options within Outlook to prevent accidental selection of emails from automatically opening bad attachments. Organizations should review their business critical data, and ensure that access is limited to key individuals, rather than globally through group policy. The last thing you want is for a weekend book keeper to take down all of your data because they had access to more than just the accounting network share. Users should be compartmentalized to access only what is necessary to perform their job function. Finally… backup, backup, backup, backup. It cannot be stressed enough that maintaining good, encrypted, incremental backups on a regular basis is not just a good idea, but critical for any business.
For more information see http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
Or contact your account manager for network assessment.
Chris Bodenhamer
Sierra Computer Group Dispatch