CryptoLocker and its progeny

For about the last year or so, there's been a class of malware running around that's become known as "CryptoLocker".  Since there's been another recent outbreak due to some compromised ad servers, I thought I'd address it.

What CryptoLockers do is install themselves on your computer and then encrypt your files, which is to say that it scrambles them in such a way that they can't be unscrambled without knowing a secret code.  You then find instructions on your computer on how to send a ransom to the people involved, usually using something untraceable like Bitcoin.

By the time that you're infected, it's too late to do anything about it.  If you've followed good practices, you have two lines of defense: the first is your antivirus, and the last is your backups. A good enough AV might not stop the initial infection, especially if you accidentally give it permission to install, but it should be able to remove the infection. That won't help your files, though, so for that you'll need to restore from backup.  You'll want to restore a file or two from before the infection, and keep stepping backward until you find ones that haven't been affected.  If you need help restoring earlier versions of files, look at the support for your software, but any reputable third party piece should be keeping multiple versions on hand.

If you haven't been maintaining a backup and/or don't have AV, you're going to be in some trouble.  The only thing that we've found in our practice that's capable of fully removing the most recent CryptoLocker after infection is RogueKiller.  If you don't have backups, or your backup isn't maintaining multiple versions, I have worse news: your files are probably gone.  You can try to pay the ransom, which at current writing usually runs around $350, but that's had mixed results; sometimes the attackers will decrypt the files, sometimes they ask for more money, sometimes there's simply no contact.  You'll have to weigh the possibility of getting the files back against the risk and the cost, and I can't help you with that.

I want to reiterate something I've said before: if you get infected by this, it is not your fault.  It is the fault of bad industry practices and people who care more about reducing their own liability than your protection.  It is the fault of malicious attackers exploiting the vulnerable.  There are ways you can protect yourself, if you are savvy enough, and if you've read enough of this blog and followed my advice you will probably bounce back from this.  But even if not, even if this is your first encounter, understand that a security regime that asks you to be an expert on your own safety in order to use the internet is badly broken. No one would suggest that if your car is stolen it's your fault for not knowing how car thieves work, but all too often with computer security we pretend that unsavvy users are the reason that there is cybercrime. No. Criminals and bad industry practices are the reason that there is so much cybercrime.