/dqweek/media/agency_attachments/JNb31gQnqJvAm0jqPxaV.png)
Follow UsThis new menace has been making rounds over the internet for more than a month now. There is a malware that takes computers hostage until users pay a ransom impacting a lot of businesses. It is a deadly CryptoLocker in every sense possible.
Ransonware is a type of malware (rogue program) which if once enters your company's network has the ability to lock your access to your precious data by encrypting it-this ransomware encrypts every single file that a user has access to. And then they demand ransom to release this data by providing you decryption key. It enters systems through internet, typically with pirated software, cracks, music, video, phishing messages and malware emails from people you know and whose system has been infected so do not even know their system is sending out emails to everyone in their address book etc.
The CryptoLocker encrypts a set of file masks on a local PC and any mapped network drives with 2048-bit RSA encryption, which is uncrackable for quite a while yet. WinXP through Win8 are vulnerable, and infection isn't dependent on being a local admin or having UAC on or off.
As per Ars Technica, CryptoLocker uses strong cryptography to lock all files that a user has permission to modify, including those on secondary hard drives and network storage systems. Until recently, few antivirus products detected the ransomware until it was too late. By then, victims were presented with a screen like the one displayed on the computer of the accounting employee, which is pictured above. It warns that the files are locked using a 2048-bit version of the RSA cryptographic algorithm and that the data will be forever lost unless the private key is obtained from the malware operators within three days of the infection.
An article on Reddit states, "It's legit, it really encrypts. It can jump across mapped network drives and encrypt anything with write access, and infection isn't dependent on being a local admin or UAC state. Most antiviruses do not catch it until the damage is done. The timer is real and your opportunity to pay them goes away when it lapses."
The danger real and of top level as once the time frame which is usually 72 hours or less in some cases, the entire data which was encrypted by Ransonware will be lost for ever.
The hackers or criminals demand money to give a key, which one can use to release their own data. The current variant demands $300 via GreenDot MoneyPak or 2 Bitcoins.
Removing the virus itself is trivial, but no antivirus product (or any product, for that matter), will be able to decrypt the files until the private key is found. While with regards to file recovery, there are only a handful of options for recovering encrypted files, and they all rely on either having System Restore/VSS turned on or having a backup disconnected from the infected machine. Cloud backup solutions without versioning are no good against this as they will commit the encrypted files to the cloud.
The latest updates indicate MalwareBytes Pro and Avast stop the virus from running. While, For sysadmins in a domain environment, one way to prevent this and many other viruses is to set up software restriction policies (SRPs) to disallow the executing of .exe files from AppData/Roaming. Apart from that, use firewall and limit usage of internet for activities that makes users access websites that may propagate this code; pornography, music, video, warez, software cracks sites, etc. In addition, data backup (offline might be useful) that is encoded in a way that it can resist the effects of getting infected by allowing access to historical data.
This virus is really deadly, efficient, and hard to stop. It's also very successful in getting people to pay due to data being at stake, which funds the creation of a new variant that plugs what few holes have been found.
So beware and be aware!