The malware that that encrypts all files on a user’s computer is hidden in email’s highlighting that a parcel is ready to be picked up from a local Australia Post office.
The malware, asks user to pay between $300 and $1950 to get an unlock key, the only problem is that there is no guarantee that users will get a key.
Last week a staff member at 4Square Media publishers of ChannelNews and SmartHouse opened one of the infected emails. Within an hour hundreds of Microsoft based application files and Adobe pdf files were locked by the CryptoLocker malware.
We overcame the attack by isolating our network which included access to Dropbox where our files were also affected.
We then initiated a restore on our servers to a time minutes prior to the malware hitting our network.
What was outstanding was the response from Dropbox who were able to restore thousands of infected files.
CryptoLocker, uses sophisticated 256-bit encryption which makes it virtually impossible for the encryption code to be cracked.
By using offline backup we were able to overcome the attack and restore our files. Users who store on attached devices in the same office or simply backup to a device on the network face a real risk with this virus claim security experts.
Once the encryption process finishes, it tells users to pay a ransom, which so far has been $100, $300 or two bit coins, currently worth about $1950.
CryptoLocker was first detected in September. Since then, it has infected millions of machines around the world with the worst attacks being in the USA and Europe primarily on Windows based machines.
The fake email which we got purportedly from Australia Post are also being sent from courier companies FedEx and UPS, and antivirus firm Symantec.
However antivirus suites that disable and remove CryptoLocker can render it impossible for users to get their files back. Victims wanting to decrypt their files have been forced to reinstall the malware and apply the criminal-supplied private key.
Patrick Wheeler from Check Point Software Technologies told the Australian newspaper that his firm had some success with disabling the communication between CryptoLocker and the criminals’ server that is necessary before encryption occurs.
When a computer becomes infected, CryptoLocker attempts to communicate with a server that creates the private and public keys needed for the encryptions process. The Trojan malware downloads the public key and encrypts the files while the private key which can unravel encryption is held on the criminals’ server until the ransom is paid.
Mr Wheeler said that to avoid their communication being blocked, CryptoLocker generates more than a thousand random domain names daily, but just a couple of these are registered as genuine URLs. Firewalls never have enough time to disable communication to those malicious URLs.
By using the same “seed”, the infected computer is programmed to generate the same 1000 plus domain names and attempts to connect to each of them until a genuine web address is found.