There’s a new virus in the wild called CryptoLocker that’s gotten our attention recently. CryptoLocker is classified as ransomware, because, as the name implies, the new virus encrypts the files on your computer and network, locking you out of them until you pay a ransom – typically $300 via prepaid debit card. Once the CryptoLocker malware runs, no antivirus software can recover from it, since the encryption key is inaccessible (held on a secret server somewhere on the Internet). So victims have to either pay the ransom or restore their files from a backup – assuming they have a valid backup.
We’ve seen two instances of CryptoLocker within the last couple weeks. In the first instance one of our customers opened an email attachment disguised as an invoice but containing the virus. We had valid, up-to-date antivirus software on the end-user’s computer, but a virus definition had not yet been issued for this particular variant of CryptoLocker. The program encrypted this end-user’s local files in their Windows profile, as well as many network files as it could find and modify. We recovered by removing the virus and restoring the network files from our offsite backups.
In the second instance, a (non-customer) company contacted us about a new virus they’d contracted on their network, again via an email phishing tactic. We investigated and identified it as CryptoLocker. However, due to a major IT oversight (one of eight we’ve outlined in our new eBook) the company had no complete and valid backups of their data, so there was little we could do to help. They were forced to pay the $300 CryptoLocker ransom via debit card and wait a couple days for CryptoLocker to decrypt all of their files. In all, they experienced several days of near-total network downtime.
This is a good example of how disasters other than the natural kind can strike your business. As Naked Security says, prevention is the key here: