Cryptolocker - what you can do right now

June 3, 2014 - PRLog -- Advent IM has issued some guidance regarding Cryptolocker and GoZeus following on from the warning issued by  The National Crime Agency (NCA) yesterday.

Cryptolocker is a malicious program called ransomware. Most ransomware will effectively lock your computer up then demand payment to unlock it. Cryptolocker is a bit different as it basically encrypts everything on your system: images, document files, databases, but the encryption key is not stored anywhere on the system, it is held by the cybercriminal attacking your system and you cannot unlock and decrypt your files without them. Unfortunately you will not be aware that your files are being encrypted in front of your eyes, until it is already done. While it is not a self replicating virus, so it won’t spread across a network unaided, it does search for files to encrypt so your network is at risk if there is an infection.

According to the notice from the NCA, some Internet Service Providers (ISPs) will be contacting users if they suspect they have an infected system. Of course this does raise the issue of potential fresh exploitation by those scammers who like to phone people up claiming to be from Microsoft and telling people their machine is affected by viruses and they must pay to have it cleaned. So people are going to need to be very wary and well informed when going through this process.

CryptoLocker-thmbThis is a crime and if it happens to you report to Action Fraud Do not hand over any money or Bitcoin.

According to the NCA there is a two week (13 days from today) window in which you can rid your operating system of GoZeus (aka P2PZeus) and Cryptolocker.

What to do now:

Ensure your operating system and security software are regularly updated.
Ensure anti-virus tools and definitions are up to date. If you don’t have these tools then rectify that. These are security basics.
There are Cryptolocker prevention kits on the market, if you decide to go this route choose carefully.
Phishing and spear phishing: Don’t open attachments from unknown sources or from emails that appear to be from a legitimate source but you do not fully trust. The same applies for links it asks you to click. Examples might be bank emails that tell your account has been locked down or accessed suspiciously. Use your normal method of reaching your bank, do not click the links.
Regularly back up important data and keep it within unconnected storage. If you do get attacked you should be able to restore your data if you back up properly. Its a pain but its better than losing everything.
Businesses should check incident response and resilience protocols to monitor for infection.
Ensure staff are educated in good security practices and how to spot threats and phishing. Run regular update sessions and keep up to date on current threats and methods being used by attackers. Ensure good security hygiene across your organisation.
Use software to identify if a computer is infected. If so, disconnect it from networks immediately and seek professional advice.
If you believe you have been compromised, change online account passwords and network passwords after removing the system from the network.
Don’t share passwords, don’t reuse passwords and keep work and personal passwords distinct and separate.
Block .exe files over email, including within ZIP files. This can usually be done using an anti-spam system.

***ends