365 iT SOLUTIONS is committed to providing industry leading Managed IT Services in the Toronto area.
There is a very dangerous virus that is quickly circulating the internet named CryptoLocker. This virus encrypts and locks all documents on your computer, and its network shared drives. It then holds “the key” for ransom, if the ransom is not paid – your files will be destroyed. While every effort is taken to protect and secure networks, the virus at time may be able to circumvent many filters and antivirus systems.
This CryptoLocker Virus spreads primarily through EMAIL.
The major rule with email is, if you don’t know the sender – Do Not Open the Attachment. Additionally, do not click on any links within the email. If you do not know the sender, Delete The Email.
How the CryptoLocker Virus Works
This virus uses “social engineering” to trick people into opening the email and its attachment. Emails are disguised to come from “FedEx or UPS” notifying you of a shipment update. It claims an update is attached, instead it is actually a copy of the virus.
Additionally, we have also seen emails disguised as unemployment requests, bank statements, and payroll reports. A list of known email subjects is also displayed below.
In the unfortunate event that you do catch this virus, and see a screen like the one below – immediately TURN YOUR COMPUTER OFF and contact tech support. Force the power off, and don’t power it back on.
Known Email Subjects of the CryptoLocker Virus:
- UPS – Your package is available for pickup ( Parcel 173145820507 )
- USPS – Missed package delivery Scan from a Xerox WorkCentre
- ADP payroll: Account Charge Alert
- ADP Reference #09903824430
- Annual Form – Authorization to Use Privately Owned Vehicle on State Business
- Important – attached form
- McAfee Always on Protection Reactivation
- My resume
- Voice Message from Unknown (675-685-3476)
- Important – New Outlook Settings
- FW: Payment Advice – Advice Ref:[GB293037313703}/ ACH credits/ Customer Ref:[pay run 14/11/13]
- New contract agreement
- Notice of underreported income
- Payment Overdue – Please respond
- Payroll Invoice
- Corporate eFax message from “random phone #” – 8 pages (random phone # & number of pages)
- FW: Case FH74D23GST58NQS
- USPS – Missed package delivery (“USPS Express Services” <firstname.lastname@example.org>)
- FW: Invoice ACH Notification (“ADP Payroll” <”@adp.com>)
- Payroll Received by Intuit
- FW: Last Month Remit Scanned Image from a Xerox WorkCentre
- Fwd: IMG01041_6706015_m.zip
- New Voicemail Message
- Voice Message from Unknown Caller (344-846-4458)
- Scan Data
- Payment Advice – Advice Ref:[GB2198767]
- Important Notice – Incoming Money Transfer
- Notice of unreported income – Last months reports
- FW: Check copy USBANK
- past due invoices
- Symantec Endpoint Protection: Important Systems Update – requires immediate action
The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.
Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.
While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key.