Nasty virus's out there now October 2017
Destructive malware "CryptoLocker" on the loose - here's what to do
Filed Under: Cryptography, Data loss, Featured, Malware, Ransomware
Watch out for a destructive malware threat that calls itself CryptoLocker.
Dictated by the name Troj/Ransom-ACP, because that's exactly what it does:
holds your files to ransom.
Demanding money with menaces
Malware that encrypts your data and tries to sell it back to you, or else, is
In fact, one of the earliest pieces of malware that was written specifically
to make money, rather than simply to prove a point, was the AIDS Information
Trojan of 1989.
That Trojan scrambled your hard disk after 90 days, and instructed you to
send $378 to an accommodation address in Panama.
The perpetrator, one Dr Joseph Popp, was tracked down in the USA, extradited
to the UK to stand trial, displayed increasingly shambolic behaviour, and was
ultimately kicked out of Britain and never convicted.
Fortunately, his malware was similarly shambolic: it used simplistic
encryption algorithms, and every computer was scrambled in the same way, so free
tools for cleanup and recovery soon became available.
Sadly, the crooks behind the CryptoLocker malware haven't made the same
The malware seems to do its cryptography by the book, so there is no way to
recover your scrambled files once it has triggered. (You could, I suppose, try
paying the ransom, but I recommend that you do not.)
What CryptoLocker does
When the malware runs, it proceeds as follows:
1. CryptoLocker installs itself into your Documents and Settings folder,
using a randomly-generated name, and adds itself to the list of programs in your
registry that Windows loads automatically every time you logon.
2. It produces a lengthy list of random-looking server names in the domains
.biz, .co.uk, .com, .info, .net, .org and .ru.
3. It tries to make a web connection to each of these server names in turn,
trying one each second until it finds one that responds.
4. Once it has found a server that it can reach, it uploads a small file that
you can think of as your "CryptoLocker ID."
5. The server then generates a public-private key pair unique to your ID, and
sends the public key part back to your computer.
→ Remember that public-key cryptography uses two different keys: a public key
that locks files, and a private key that unlocks them. You can share your public
key widely so that anyone can encrypt files for you, but only you (or someone to
whom you have given a copy of your private key) can decrypt them.
6. The malware on your computer uses this public key to encrypt all the files
it can find that match a largish list of extensions, covering file types such as
images, documents and spreadhseets.
→ Note that the malware searches for files to encrypt on all drives and
in all folders it can access from your computer, including workgroup files
shared by your colleagues, resources on your company servers, and possibly more.
The more privileged your account, the worse the overall damage will be.
7. The malware then pops up a "pay page," giving you a limited time,
typically 100 hours, to buy back the private key for your data, typically for
$300. (The price point is suprisingly similar to what it was back in 1989.)
→ With the private key, you can recover your files. Allegedly. We haven't
tried buying anything back, not least because we know we'd be trading with
What we have seen
Many companys and users have sent AnyPCrepair many scrambled documents to be
These have come from people who are keenly hoping that there's a flaw in the
CryptoLocker encryption, and that we can help them get their files back.
But as far as we can see, there's no backdoor or shortcut: what the public
key has scrambled, only the private key can unscramble.
In the clumsy but categorical words of the criminals themselves:
The single copy of the private key, which will allow you to decrypt the
files, located on a secret server on the Internet; the server will destroy the
key after a time specified in this window. After that, nobody and never will be
able to restore files.
And that's why Any PC repair have included this article, since we are
faced with the sad job of telling the victims that their files are as good as
How the threat gets in
Two main infection vectors: via email attachments and via botnets.
Email attacks are fairly easy to avoid: take care with attachments you
weren't expecting, or from people you don't know well.
Infection via a botnet is a little different, since the crooks are using the
fact that you are already infected with malware as a way to infect you with yet
That's because most bots, or zombies, once active on your computer, include a
general purpose "upgrade" command that allows the crooks to update, replace, or
add to the malware already on your PC.
So take our advice: make it your task today to search out and destroy any
malware already on your computer, lest it dig you in deeper still.
What you can do
Take this story as a warning, and don't forget that there are many other ways
you could lose your files forever.
For example, you could drop your laptop in the harbour (it happens!); a thief
could run off with your computer (it happens!); or you could entrust your files
to a cloud service that suddenly shuts down (it happens!).
The endgame is the same in all cases: if you have a reliable and recent
backup, you'll have a good chance of recovering without too much trouble.
in this case, is significantly better than cure:
Don't forget that services that automatically synchronise your data changes
with other servers, for example in the cloud, don't count as backup.
They may be extremely useful, but they tend to propagate errors rather than
to defend against them.
To the synchroniser, a document on your local drive that has just been
scrambled by CryptoLocker is the most recent version, and that's
Call now on 0208 3110466 or use the online form and we can hell minimise the risk as soon as possable