Security Alert - Cryptolocker

John Biglin, CEO | July 18, 2014

Special Announcement

Cryptolocker: An “Active Threat” to Windows Users

Quick Points:

  • Cryptolocker malware is an active, growing threat to any user running Windows
  • Typical infections occur via bogus e-mail attachments, links and even some ads
  • User Files become encrypted and unusable unless a ransom is paid within a time limit
  • It affects typical computer files and any network files (Documents, Spreadsheets, PDFs, Photos, etc.)
  • Cryptolocker’s creators have made tens of millions of dollars since September 2013

Full Details:
There is an evolving and increasing malware threat that is significantly impacting Windows users of all types, including corporate employees and average consumers. Cryptolocker is a very sophisticated class of malware called “ransomware” that secretly encrypts all of your files and then holds them “hostage” until you pay a ransom of approximately $300. If you do pay the $300, the crooks supply you with an encryption key that will supposedly decrypt your files. You usually must pay the ransom within 72 hours or the key is destroyed and the files left unusable (although some recent variants have provided the key for an even higher ransom after the deadline).

Cryptolocker started infecting users in the early Fall of 2013. It has quickly spread internationally, but the largest amount of infections have occurred in the United States. Unlike much of the old malware that was destructive, or stole personal information, Cryptolocker, and malware like it, has rapidly become a very lucrative way for the cyber criminals to make money quickly. In fact, it is estimated that the cyber criminals who are responsible for Cryptolocker made upwards of fifty million dollars ($50M) between September and December of 2013! Since the payment process utilizes anonymous currency, such as Bitcoins or Moneypack vouchers, the transactions are virtually untraceable and the money unrecoverable, at least for now.

How do systems get infected?
The malware enters systems via several ways, but the top methods of infection include:

  • bogus e-mail attachments
  • infected link destinations
  • USB-key files
  • other system weak points

What does Cryptolocker do?
If you get infected, Cryptolocker quietly encrypts every typical data file on your system (Documents, Spreadsheets, Presentations, Photos, Music, Drawings, etc.) separately, but the key to decrypt the files is kept on the crook’s servers until you pay their ransom. Other than your system seeming to run a little slow, you would not normally notice anything wrong. Once all files are encrypted a large billboard-like “pop-up splash screen” appears, telling the user they must pay a ransom in order to decrypt their files, such as the screen below.

If you choose not to pay the ransom within 72 hours, your files are typically lost permanently. But wait, there’s more… Cryptolocker will also encrypt personal or shared network drives, connected USB drives, and even SharePoint folders if they are setup like a network drive, including mapped drives to an Office 365 SharePoint folder.

I run Antivirus and Anti-malware software on my system. Will that protect me?
It may, but it may not. If it is kept up-to-date on a daily basis then your chances of avoiding infection are dramatically better. However, the makers of Cryptolocker have started changing the ‘signature’ of the malware itself in order to avoid detection by the antivirus/anti-malware (AV/AM) software. The AV/AM firms eventually catch it and publish an update, but then Cryptolocker changes again.

What should be done if I become infected?
Since you typically would not see any symptoms until Cryptolocker is done encrypting your files, there is not much you can immediately do once infected. I would recommend disconnecting from your network and any attached USB drives and then contacting an IT professional who is skilled in malware removal.

Should I pay the ransom fee?
There have been many reports of companies and individuals paying the ransom fee, which then triggers an almost immediate decryption of the files, making them usable again. However, there also have been reports of files remaining encrypted and unusable after the fee is paid. Most experts suggest that you do not pay the fee, but there have been countless victims who decided to pay the ransom in order to recover their critical files. One individual I know (the Chairman of an Insurance firm) chose not to pay the ransom, and instead restored files from a 1-month old backup (after having his laptop cleaned and reformatted), but another individual paid the ransom and was able to decrypt her files, which were fully usable.

In fact, in October 2013 the Swansea Massachusetts Police department was hit with Cryptolocker, which made many of their department’s files unusable. They paid the ransom, which ended up costing them $750, and took a lot of heat (pun intended) in the press for making the payment, thereby funding the crooks. In late December, a Greenland Town Hall lost 8 years of records after a computer on their network became infected. Just last month, a law firm in Charlotte, NC lost all of its files to Cryptolocker after the deadline for payment expired. In the law firm’s case, the attachment a user clicked on looked like a message from an answering service.

Can an IT firm get you your files back with special decryption tools or other techniques?
No – not with a Cryptolocker infection. Each file is separately encrypted using typical, modern-day encryption algorithms. Since the decryption key is not local to the victim’s system, there is no reliable way to decrypt the files without getting access to the key via the ransom.

How can I protect myself or my firm?

Most of the typical advice around data protection applies even with Cryptolocker:Always maintain multiple backups of your data, with a copy kept

  • Always maintain multiple backups of your data, with a copy kept offsite and offline. (Cryptolocker will also encrypt connected USB drives, network drives, etc. if they are connected and online while it is running)Keep Antivirus and AntiMalware running on all of your systems at all times and ensure that real-time updates are in place. There are high-quality software options available that are FREE for personal use. Likewise, keep your Operating System up to date by regularly applying system patches.
  • Keep Antivirus and AntiMalware running on all of your systems at all times and ensure that real-time updates are in place. There are high-quality software options available that are FREE for personal use. Likewise, keep your Operating System up to date by regularly applying system patches.Verify that the attachments you open in
  • Verify that the attachments you open in e-mail are really what they should be. There are many cases of file attachments labeled “Invoice.PDF” that are really “Invoice.PDF.EXE”. Never open a questionable attachment with a “.exe” or “.zip” extension. Many corporate e-mail systems block those attachments altogether, but not everyone does.
  • Think before you click – Let your mouse pointer hover over a link in an e-mail, website or instant message for a few seconds and then make sure that the destination of the link is truly what you are expecting. See this earlier blog post for more information about phishing links: http://bit.ly/1g5ZUeu
  • Use your system as a “Standard User” instead of an “Administrator”. Some firms and individuals run their desktops and laptops as a user that has “administrative privileges”, which lets you install anything and make changes to your computer. This is very convenient when installing software, but it leaves your system open to attack when a malware script runs. Instead, use a “standard user” (sometimes called a “limited user”) account and keep a separate “Administrator” account available for use anytime you need to install software. It is slightly less convenient but dramatically improves your chances of avoiding malware infections.If you run a business, make sure you have a Unified Threat Monitoring (UTM) device that scans network traffic coming into your office. This can be done with certain firewall devices or other devices that work with your firewall. Keep those devices constantly updated as well.
  • If you run a business, make sure you have a Unified Threat Monitoring (UTM) device that scans network traffic coming into your office. This can be done with certain firewall devices or other devices that work with your firewall. Keep those devices constantly updated as well.

There are many other security measures you can take to protect you and your firm overall, but the list above is a reasonably good starting point for minimizing your malware infection risk, among other risks.

Cryptolocker is real and is infecting people in every state of the country. Many firms believe that their corporate antivirus/anti-malware software takes care of their end-users systems, but that is not always the case. When our firm conducts IT Assessments or IT Health Checks for new clients, we often find that updates to the antivirus/anti-malware software are not happening on a daily basis. This leaves firms open to infection by new variants of malware. Further, sometimes employees work on home computers that aren’t as well protected. (The Chairman I mentioned above was using a personal system at home.)

While we have always stressed the importance of basic security practices, our team believes it is important to provide this special announcement to our clients, partners, staff and anyone else. We are beginning to see more technically sophisticated malware threats that eventually cause catastrophic results to personal or work computer systems and data files.

The best way to minimize the risk of infection is to follow items 1-6 above, along with other typical security measures. Once you get your systems updated, it is fairly easy to keep them updated. I also suggest that you share this post with everyone you know so that they protect their systems, including home systems, before a malware infection occurs.

If you need assistance ensuring your company is properly protected, call us at 888-261-3220.

Microsoft Teams Gets Private Channels

Microsoft Teams is a collaborative workspace in Office 365 that brings together people, content and conversations. Previously, to chat privately with a group of team members, separate Teams had to be created outside of the originating team within which a group would...

read more

SMB Success Story: Jack’s Diving Locker

Did you know that technology is helping to protect and save our oceans? With #cloud security and communication tools, @JacksDiveLocker has exponentially increased their outreach and education efforts to keep our oceans healthy and thriving.

Want to see how the latest #security tools can help grow your business? Contact the Client Engagement team at Interphase Systems (ce@interphasesystems.com or 610-276-5500) to get started today!

read more

The Importance of Teamwork and Collaboration

We live in a world of constant disruption where business models are undergoing constant change. This article explores the impact of these trends on collaboration and teamwork and the most important skills for the 2020 workplace. Contact Interphase Systems for help in...

read more

A Day in the Life – Compliance

Meet Diego, a Compliance Officer who works closely with his company's IT team to ensure employees abide by internal policies and regulations set by regulatory bodies. Check out this infographic to see how Diego uses productivity and collaboration tools in Teams across...

read more