And some thoughts on how to prevent it. Backup computing is there to assist you in implementing these steps. With our suite of services, partners, and years of experince we can design and implement the plan you need.
(Parts of the following are taken and heavily modified from a presentation by:
Charles P. Jefferies "The Guide to CryptoLocker Prevention and Removal" )
An introduction to CryptoLocker: the basics (Note there are literally thousands of variations of software by many names that does basically the same thing this one particular strain does.)
CryptoLocker is a type of malicious software (known as malware or ransonware) that makes data on your computer (documents, pictures, music and so on) unreadable by encrypting it using RSA-2048 bit keys; it then demands payment to un-encrypt them. Once you pay (usually to the tune of several hundred dollars, paid usually in uintracable Bitcoins), you get a key that allows you to get your files back (maybe). The ranosmware even puts a deadline on how long you have to pay the ransom. CryptoLocker usually finds its way onto them via email attachments, many times in a word or excel document where macros are enabled.
Additionally many of the Cryptolockers now go after attached network shares as well, this includes USB drives many use to backup files to, Servers, Network storage, or even shares on other desktops. So not only is the root machine damaged but it spreads across the network causing even more damage.
A real Life Example
Last November (2016) a customer opened an email that he thought was from one of his banks. There was an attachment which he proceeded to open in Mircosoft Excel. He was prompted and asked if he wanted to enable macros for the document. Which he proceeded to say yes to. The file opened and didn't seem to have much info in it. So he closed the file finished a couple of emails and left for the night. Later the next day after running around he tried to open a couple of files to do some further work and couldn't get them to open. He also had a nice pop-up on the screen telling him he had a problem and if he wants his files back he would need to pay a ransom. He called Backup Computing asking for help.
I then spent the next 3 hours figuring out exactly what had happened and investigating the virus he got. Once I finally got the sequence of events from him it was immediately obvious what had happened. He was infected. Part of the reason it took me three hours was to also figure out what else was corrupted. The entire NAS of all his business files were corrupt. The entire computer and attached drives was corrupt. His Accounting database and most zipped backups were corrupted. Luckily the other main computer in the office did not have an open share so the files on it were not corrupted.
It took me about an hour to finally kill off the infection, I ended up using an off the shelf anti-virus (DO NOTE it only nailed about half the virus!), I had to deploy a couple of my low level infection killers to finally nail the last parts buried in the registry, Windows system folders, and a couple of other locations.
Next it ended up taking another 4 hours to get his data back. First I recovered the NAS after making a copy of all the files just in case we had to pay the ransom. That took about 15 minutes to copy all the files back from the cloud and recover the corrupted files. (Why it took so short a time was Backup Computing had deployed one of its NAS with integrated backups on-site.) Turns out that the staff had NOT been backing up the accounting database to the NAS. So we were in trouble. The customer, through mistakes, had not used the planned backup routines. We did a system restore to wipe out any remaining possible files corruption of the programs. And with some fancy footwork I was able to recover using the Backup Computing deployed NAS the accoutning data only losing about 2 weeks of data instead of the better part of 9 months worth.
Long story short, The customer was very happy he had used Backup Computing to protect his data!
Removing the CryptoLocker malware
What if it’s too late and you’ve already been infected? If your files have been encrypted you’re unfortunately out of luck. The files are encrypted in such a way that it’s all but impossible to decrypt them (unless you pay the ransom, in which case you may regain access to your files). Paying the ransom DOES NOT guarantee you will be able to decrypt. It usually does (roughly 40% of the time it works these days!) but not always. There usually isn't a way to know for sure until you pay.
Before you do anything else. Isolate the machine from the network immediately. Then remove the CryptoLocker malware. There are several ways to do this and you can do it yourself or better have someone like Backup Computing do it for you to make sure you get every part of the virus. Note this process is effective at removing the CryptoLocker malware itself, not the encryption of your files.
So how to protect yourself?
Prevention is key. Here are some tips to help prevent and make recovery easier and less expensive.
The morale of the story is that while the CryptoLocker malware itself can be removed easily enough, the damage it does cannot be, prevention is crucial. Be wary of emails and attachments that are sent to you and have appropriate backup in place.
Backup Computing has solutions for all types of businesses and we would be more than willing to help you find a solution that works best for you.