Crypto-Locker Virus. Make Sure You Backup.

modchild

modchild

Suspended / Banned
Messages
3,914
Name
Stuart or just Stoo!
Edit My Images
Yes
After being hit by the new version of the ransomware Crypto-Locker I'm very thankfull that I took my own advice and backed up all my photos. However, this virus not only affects your photos. It will encrypt all the PDF files, Office files (word docs etc.) as well as photos and unless you call them up and pay the $300 they ask for to decrypt your files then you'll lose them.

I've ended up losing over 300 magazines and books in PDF files, a few MS Word and Access files and a few other bits as well as the last few hundred photos that weren't already backed up. Thankfully, none of the photos were 'very important' so i'm not too worried about them but it'll take me ages to get the PDF's re-scanned and there was 283 photography related books amongst them.

Searching through the net over the weekend it looks like there's NO way to get your files back and the virus is getting through most, if not all, of the main Anti Virus programs including AVG (which I had running), Avast, Norton and McAfee. You can remove the virus pretty easily, but that's not the end of it. I reformatted my computer to be on the safe side but my files were still encrypted after a couple of days.

By the looks of it the police aren't doing a whole lot about this form of extortion either and the only people likely to be able to decrypt the files are the NSA, FBI and similar organisations in this country. Check your AV programs to see if they can find the virus, mine came through with a photo posted on Facebook that the wife clicked on, that's all it took. The code was buried in the photo and the next time I used the computer I got a big warning on screen. BACK UP EVERYTHING!

Mods, if you think this thread would be more beneficial to users in another area then please move. This is a verifiable threat and has already caught millions out around the world.
 
Last edited:
I checked with Eset, the makers of the anti-virus I use. They seemed relatively confident they can recognise and isolate this attack but didn't seem 100% confident as it "mutates" regularly.
One thing they did recommend is to turn off Remote Desktop Assistance on a Windows machine.
Thanks for posting.
 
Not very nice :(,all my web browsing is done on an cheap laptop,and i have another tower pc for my photos which i keep of the web.
 
Has someone said 'get a Mac' yet?
 
I tried Shadow Explorer and I got some of my docs back but it wouldn't work with the photos. This is the second version of Crypto-Locker which costs 3 times the amount to get your files decrypted and they do, apparently, decrypt your files if you pay without any problems (they are very nice people on the phone apparently) and they class it as a service to show how vulnerable your computer is. Cheeky b@5t@%$s.

I've even had some of the files I'd got on a flash drive encrypted and it wasn't even connected to the computer. I sure hope someone stops them soon. I've done a full format and reinstalled everything from my backups now, but I'm still missing some that I hadn't saved. As I said earlier, it's quite easy to get rid of the virus, just install a Anti Malware program or restore your computer to an earlier time, but if your files get encrypted then good luck in getting them back.
 
Last edited:
Always useful to get a heads up about a nasty but this comment throws me completely -

"I've even had some of the files I'd got on a flash drive encrypted and it wasn't even connected to the computer."

How can any malware or indeed any other program encrypt files on a device that is not connected to anything?

Dave
 
Thats the reason i have one pc tower for my photos that never go online,its not used by anybody else.

:)
 
Recently, a new version of an old Ransomware virus appeared in people’s inbox’s this past week. Calling itself Crypto Locker, the infection begins with a stealthily laid spam email disguised as a file transfer notice. A particular client of ours recently opened the email, and clicked the download attachment link because the client was actually expecting files to be sent via email to him. It’s an especially dangerous situation in a business atmosphere, where the majority of the work is being completed on computers.

The email noted a file being sent from Xerox file transfer, which most likely does not exist, or is not widely available to the public. This is the first sign to never click a link in an email that is vague, or is delivered via an “outside” third party with no personal name attached to it. If this occurs in your email, delete it immediately.

Unfortunately, email, inherently, is not designed to be secure. It is a simple way of communication, but can be easily intercepted and often taken advantage of by sophisticated spamming techniques. For example, a recent malware attack disguised itself as a LinkedIn Invitation. How tricky is that? A technique for the majority of email applications or online browser email service, is to “hover” over the link, which basically means move the cursor to the attachment or “button” or other link in the email, but DO NOT click. Usually in a browser the associated link will appear near the bottom of the browser. If the domain name has no relation, looks suspicious, or appears as an unintelligible tangle of letters and numbers, it usually means it is not legitimate.

A good rule of thumb for reputable online services, like LinkedIn, Facebook, governmental agencies, banks, or other institutions is that their email communication with you will NEVER ask you for personal information, and should always redirect you to a link with the actual domain name in it.

What is especially dangerous about Crypto Locker is its ability to hide itself on your computer, while also infecting any associated servers or file backup systems. It intimidates users by warning them that their files have been encrypted, while presenting a countdown demanding money to “save” all of their files.
If this happens to you, and Crypto Locker appears on your desktop, the first piece of advice is to unplug your internet connection immediately—especially if your computer is a part of a network. The next piece of advice is to not pay for the “key” because an uninstall and decryption of files is possible.

What’s even more important for the technologically challenged, is to keep your operating system up to date, and use a trusted and reputable anti-virus program for scanning your emails, such as Kaspersky. Another important tool to enable is a backup system that automatically backs-up your files. For Windows, a default setting in System Protection records previous versions of your files, so as to enable a user to return to a previous version, much like Time Machine for Mac users. Yet, the affected computer cannot have open access to these backups, because otherwise Crypto Locker will access the server and continue the destruction.
Click to expand...

(reddit)

NEVER click on links unless you know what they are.
 
Eek! Bad luck, you. Hope you can get it sorted.

modchild said:
mine came through with a photo posted on Facebook
Click to expand...

What was the photo? It may still be doing the rounds. And did it come from someone you know, or was it one of those amusing cat-type things that can go around the world in minutes?
 
It was an amusing cat or dog thing I believe, but I'm not 100% sure as it's very well hidden. Having said that it does embed in emails as well so it could get through when you click on one, I'm very careful with emails that I'm not sure of, I mark them as spam and bounce them or just delete them straightaway, but it could of got through with one of them.

With regards to the flash drive thing, they were word docs and a few photos that I must of copied after the infection had embedded itself but before it announced it's arrival and before I knew I had it and it must have encrypted those as well. I got the infection announcement on friday morning, with a big red square with Crypto-Locker and the instructions of where to pay in it, but the last time the wife was on was on wednesday evening so there was a delay before the infection started.

Having looked on the web over the weekend for decryption tips it looks like this is a massive worldwide threat. I'm all sorted now, I've lost under 450 unimportant photos as everything else was backed up on various USB drives thankfully (including the 8Gb+ of photography books.. Phew!)
 
Last edited:
If there is a phone number and a payment system,how it it that these people cannot be traced?
 
Tringa said:
Always useful to get a heads up about a nasty but this comment throws me completely -

"I've even had some of the files I'd got on a flash drive encrypted and it wasn't even connected to the computer."

How can any malware or indeed any other program encrypt files on a device that is not connected to anything?

Dave
Click to expand...

strikes me it probably came in on the flash drive !
 
kestral said:
If there is a phone number and a payment system,how it it that these people cannot be traced?
Click to expand...

By the sounds of it you'd think it would be easy but there seems to be a grey area around it. They claim to be a 'service' to prove how vulnerable your computer is. I'd still call it extortion TBH as they are asking for money for an unwarranted service but the cash is paid to a third party I think so tracing them is still a problem. I'd like to come face to face with the barstewards though.

It definitely didn't come in with the flash drive as I'd used the same drive on 5 laptops and 3 desktops in the previous few days and they have had no problems with it and I've only had problems with the files that were copied from my computer in the couple of days before the virus struck.
 
modchild said:
By the sounds of it you'd think it would be easy but there seems to be a grey area around it. They claim to be a 'service' to prove how vulnerable your computer is. I'd still call it extortion TBH as they are asking for money for an unwarranted service but the cash is paid to a third party I think so tracing them is still a problem. I'd like to come face to face with the barstewards though.

It definitely didn't come in with the flash drive as I'd used the same drive on 5 laptops and 3 desktops in the previous few days and they have had no problems with it and I've only had problems with the files that were copied from my computer in the couple of days before the virus struck.
Click to expand...

Sound like fraud to me,whatever way you look at it :(
 
gramps said:
(reddit)

NEVER click on links unless you know what they are.
Click to expand...

indeed. attachments youre not expecting, check the URL of links (hover over, if in doubt dont click and load the site from typing the legit URL) etc.

also a good case for not running as an admin account and not disabling UAC (if something tries to install you could stop it when prompted).
 
Tringa said:
Always useful to get a heads up about a nasty but this comment throws me completely -

"I've even had some of the files I'd got on a flash drive encrypted and it wasn't even connected to the computer."

How can any malware or indeed any other program encrypt files on a device that is not connected to anything?

Dave
Click to expand...

it cant.

the drive would have had to be connected while the malware was present.
 
modchild said:
I've done a full format and reinstalled everything from my backups now, but I'm still missing some that I hadn't saved. As I said earlier, it's quite easy to get rid of the virus, just install a Anti Malware program or restore your computer to an earlier time, but if your files get encrypted then good luck in getting them back.
Click to expand...

A full format doesn't get rid of everything, you need a program that scrubs the entire HDD, preferably a few times.

If you have a SSD then some allow you to create a disk for a secure wipe (as they call it), which I believe is similar in action to a Disc Scrubber for HDDs.

Because of all the crap floating around I now use VMs for almost everything and allow only communication to the internet through them and not the host machine so as to minimise the risks.

And use a second unconnected machine for editing photos and for rendering films.
.
 
there are plenty of guides available for cleaning the infection (albeit not recover the encrypted files) without wiping the whole system.

from what ive read so far a secure wipe is not necessary. and even then a secure wipe may not always do the MBR for some rootkits (this does not appear to be a rootkit) unless specifically requested.
 
Last edited:
neil_g said:
there are plenty of guides available for cleaning the infection (albeit not recover the encrypted files) without wiping the whole system.

from what ive read so far a secure wipe is not necessary. and even then a secure wipe may not always do the MBR for some rootkits (this does not appear to be a rootkit) unless specifically requested.
Click to expand...

Well for HDDs I use a program I've had for years and this does the scrub before anything starts, apart from the BIOS, so would think it's fairly safe.

Mind you even on a SATA 3 drive it can really take a time.
.
 
That's what I'm coming to believe too.
Lucklily it's not me who's having to look at it!
I kinda enjoy removing malware, but the level this malware goes to is certainly SOMETHING ELSE!
 
most common anti-malware apps should remove the actual malware package but that wont help with the encrypted files.

best "solution" in this case is user education on emails and their contents.
 
On another note, I ended up with an email sent from myself(not named myself, I checked the address itself) to myself, of course I was suspicious and it contained an exe file so obviously I wasn't clicking the file, I'm mostly curious how the hell they managed it.
 
Magnus said:
On another note, I ended up with an email sent from myself(not named myself, I checked the address itself) to myself, of course I was suspicious and it contained an exe file so obviously I wasn't clicking the file, I'm mostly curious how the hell they managed it.
Click to expand...

spoofed sender details. par for the course with most spam etc
 
but will bite you in the arse when someone decides to target the lesser used systems - no one who uses the net or email is 100% safe from malware etc
 
big soft moose said:
but will bite you in the arse when someone decides to target the lesser used systems - no one who uses the net or email is 100% safe from malware etc
Click to expand...
Phishing is generally the biggest problem now... That can hit any OS as it just relies on people following orders...
 
very worrying things like this
I got a malware ealier in the year (neil on here helped sort it) and after that dont use the net much on my desktop only go on here, photobucket and Fred Miranda (another photo site) and do all random web browsing on my phone
will have to show the wife this thread so shes more careful on her own PC:)
 
You must log in or register to reply here.
Back
Top