CIO Security Update – Cryptolocker Virus

Cryptolocker is a computer virus that originated last year and wreaked havoc on millions of computer users. A new variant was detected today.

The virus is spread when a computer user clicks an infected file from a link, email attachment or USB drive. The user then runs it on their computer and it begins to encrypt your files and renames them.

For example: if you had a file in your shared drive named QuarterlyStatements.doc, this file will be renamed to QuarterlyStatements.doc.CRYPTOLOCKER.  Not only are you unable to open this file, but trying to may help spread the virus throughout your system. In the folder with your newly encrypted and renamed files there is a simple text file called “ReadmeToUnlock” which gives you basic instructions on how you can pay to unlock your files. Your options are either to pay, or to rely on your IT professionals to restore from backups. Both options take a considerable amount of time and energy. In some cases, your ransom note is never given.  In some cases, even when the ransom is paid, files are not decrypted!  

Unfortunately because the virus can vary itself and disguise itself differently each day, it is difficult for any antivirus program to detect. These so-called “zero-day” attacks occur because your antivirus responds to viruses already found on the internet – it simply cannot keep up with variations as quickly as they are made.  Still, there are steps that we can all take to help prevent this type of virus situation from occurring and spreading.

First, as email users we should be wary about files or links sent to us. While emailed links from a stranger are easily avoided, links and attachments from friends and coworkers are often trusted without question. Hackers know this and can send out spoofed emails pretending to be your friends and coworkers with this and other viruses. If you have any reason to suspect or were not expecting a link or attachment from any email recipient – call them and verify that it is legitimate. If you are on a website or application that has links to an application that you can run (linkedin, skype, MSNmessenger), these links can also lead you into running a program which contains this malware.

Finally, it is always a good idea to verify with your IT department/resource that they can restore your backups. It is good to discuss the level to which backups can be restored and understand the amount of time that it can take during a disaster scenario.

To learn more about Cryptolocker and the computer hijackers that have so far made $27 million holding files for ransom, see http://en.wikipedia.org/wiki/CryptoLocker (this link is legitimate).