In September, a new type of trojan ransomware, CryptoLocker, started making the rounds by way of email attachments and links on infected webpages. It won’t destroy anything on your computers, just encrypt the data so you the user can’t access it.
Once the files are encrypted, a screen pops up directing the user to pay a ransom of $100 to $300 (or two Bitcoins) within three days to regain access to the files. Beyond the 72-hour deadline, the ransom rises to 10 Bitcoins (About $3000).
CryptoLocker itself is not difficult to remove, the damage comes from the encryption. It targets commonly used files including those created with Microsoft Office (doc, docm, docx, ppt, pptm, pptx, pst, xls, slsm, slsx), Word Perfect (wpd), and Open Office (odb, odm, odp, ods, odt); as well as common types of graphics files such as jpg, psd and raw. The files are encrypted using a 2048-bit RSA key, making it impossible to crack in a short enough time using a brute force attack. As Kapersky Lab System Engineer Adam Burns said in a support forum posting:
However, as the private key is kept on the attackers’ server and it uses RSA-2048, there is currently no possible way to decrypt the files that were already attacked.
I strongly advise everyone take part in backing up critical data. This virus really encrypts your files.
Most antivirus vendors have tools to remove CryptoLocker from an infected machine and also provide advice on how to prevent an infection in the first place.
However, they do not provide a method of decrypting the files, so it is good to take Burns’s advice about “backing up critical data” so one can then restore the data without having to pay the ransom. The question is how fast can one fully restore normal operations after removing CryptoLocker. One poster to the Sysadmin forum on Reddit described it like this:
As I see it, to recover from infections that threaten encryption or deletion, you need backups that keep incremental and/or differential copies of files, so that if the infection happens on Friday and the scheduled daily backups saved Saturday and Sunday, on Monday you could easily roll files back to the un-infected state from Thursday.
But I don’t like how long [consumer cloud backup solutions] take to backup a system, nor how long it might take to restore a whole system. Who can wait weeks to restore?
For those who need faster backups and restore, Zetta.net delivers backup/recovery speed that enables recovery of up to 4TB in 24 hours – to rapidly restore files following an attack by CryptoLocker, or whatever malware gets released next month. Also, since Zetta enables web-based access to backup data, IT managers can allow users access to uncorrupted business data even before CryptoLocker has been removed.
Zetta’s snapshot & replication based enterprise cloud backup and DR solution enables recovery from a point in time before Cryptolocker or any malware began affecting critical business data.