Beware of CryptoLocker Trojan Ransomware

CryptoLocker, detected by Sophos as Troj/Ransom-ACP, a malicious program known as ransomware, is making rounds hitting computers via email attachments or via botnets.

Infecting your computer via Email Trojan

An example of an email containing a Trojan file hidden in an Excel document.

Infection through email may happen when you open an attachment containing the trojan. You have to take special care opening attachments, even if they look innocent enough.

Here is an example of an email that masquerades as a Payroll report; the attached file, titled Payroll.xls, contains a variant of Win32/Kryptik.BOHR trojan.

When you are a small business owner, payroll may be on your mind, and if you go through your busy hectic day, you just may open an email to see what is it about.

Email Internet Headers for fraudulent addresses.
Check your email header properties to spot fraudulent addresses

In this example, an email came to an email address from an “administrator” of that domain. So if my email address is “[email protected]” – I may receive an email that looks as if was sent directly to “[email protected]” from “[email protected]”.  Being in charge of our email addresses I know for a fact we don’t have an “administrator” account – and to me, it looks suspicious when I receive an email from a non-existent email address. But if you don’t personally manage email accounts for your business, this pattern may look innocent enough to you, and that’s what crooks are counting on – that you would trust the email and open the attachment.

But beware! Here is a little trick that may help you: check the headers of the email. In my example for Outlook, I had to go to the File tab of the email message in question, and then to Properties and scroll through the details to find out more about this email’s origin. In my example, another suspicious thing here was that the Reply-To address was [email protected] (which is one of the domains of American Express).  So that’s when I know for sure that this is a manipulated email that I should not trust.

Don’t open attachments from emails you were not expecting – even if they look innocent enough. If they come from a person you know, but you want to be sure – you can always pick up the phone and check with the person if an email was indeed sent by them and the attachment was meant to reach you.

 Infecting your computer via Botnet Trojan:

There have been reports that CryptoLocker also spreads via Botnet Trojan – specifically ZeuS. It spreads when a user chooses to click on a link that triggers a download and installation of the trojan. The link may mask itself as a legitimate download of a (counterfeit) executable program, ActiveX component, or Java applet). There are also instances when the trojan can be run by clicking on a deceptive pop-up window.

So please do exercise good judgment when browsing the web.

What if it is too late and CryptoLocker got a hold of your computer?

CryptoLocker Screenshot
CryptoLocker Warning Screenshot complete with timer countdown

If your computer got affected by CryptoLocker, you will see the red screen warning you that your files have been encrypted – and they will be the most important files on your computer — media (images, movie, and music) files, documents, spreadsheets, notes, etc. — as well as any files on attached or networked storage media such as USBs.

CryptoLocker then demands payment via MoneyPak (the USA only), Paysafecard, Ukash, cashU, or Bitcoin.

The malware then takes it a step further: it installs a countdown clock on your desktop that ticks backward from 72 hours.

There’s only one decryption key, and the crooks have that on their server. If you want the decryption key, you will be subject to extortion payment of $300 to $400.

Ransomware Desktop Screenshot
Ransomware Desktop Screenshot

Victims who pay the ransom may receive a key that unlocks their encrypted files; those who let the timer expire before paying risk losing access to their files.

Now, lately, there has been a new twist on the old Trojan – a “CryptoLocker Decryption Service” can decrypt your files for a hefty fee of several thousand dollars.

Check out this article in UK’s The Register:  Late with your ransom payment? Never mind, CryptoLocker crooks will, er, give you a break (Ransomware hoodlums let you settle your bill later… for a price) Cybercrooks have begun offering a late payment option, which costs victim five times as much to “buy” the decryption key necessary to unscramble their encrypted files.

What about the computer network?

Good news:

Well, I don’t know if it really qualifies as good news – but here it is:  while CryptoLocker trojan is very dangerous to your computer, it is not a virus. What it means is – it is not going to self-spread to infect your computer network – unless you deliberately run it on all your systems.

Bad News:

While it does not self-spread, it can still affect your network, because if you choose to launch it, the trojan can and search your network for files to encrypt.

That includes USB drives, network file shares, and even remote (cloud)  storage folders that are made to appear as drive letters by special software drivers.

CryptoLocker is also different from other types of Trojans by allowing your computer and software to keep on working without crashing or freezing your system, but your files, such as personal documents, media, spreadsheets, and others, are encrypted.

The criminals retain the only copy of the decryption key on their server – it is not saved on your computer, so you cannot unlock your files without their assistance.

If CryptoLocker is running and has already popped up its payment demand page, you can yous a good anti-virus program such as free Sophos Virus Removal Tool to remove it and clean up, but the Virus Removal Tool cannot decrypt your scrambled files – the contents are unrecoverable without the key, so you may as well delete them.

Read recently posted “Crypto Ransomware Family grows: what you need to know about CryptoWall trojan” for updates on additions to Crypto malware family, additional creenshots and tips on how to identify and rid of this ransomware.

Don’t want to get hit by ransomware? Be Proactive!

Make sure to have a good anti-virus system in place. Keep it up-to-date, make sure it does not expire and leave you unprotected – and update virus definitions on time, making sure it protects you from the latest threats.

Next, maintain a full, daily backup of your data OFF-SITE so that if you do get targeted by ransomware, you can recover all your files without payment.  Also, remember to back up all of your devices: PCs, laptops, etc – and don’t forget remote offices and third-party software data stored in cloud apps as well.


How is your state of IT? Call Us: (855) 551-7760 with any questions.