Malicious Software - CryptoLocker

Over the last few days the DoIT Help Desk has received numerous reports of a particularly malicious piece of software named CryptoLocker. This infection is commonly contracted when visiting a website that has been compromised or opening a malicious email attachment.

DESCRIPTION

Once the software has compromised a computer it compiles a list of all files with the following file-extensions:

  • 3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx.

Each of these files is then encrypted and a record of this action is logged at the following location: HKCU\Software\CryptoLocker\Files.

It is at this point that many users begin to receive the following pop-up window explaining that files on the computer have been encrypted and they are being held for a ransom of $100/$300. The window will display when the computer is first booted and periodically during normal use.

Image of CryptoLocker window

DISCLAIMER REGARDING ENCRYPTED FILES

Once CryptoLocker has encrypted a file on an infected computer that file becomes unusable. There are currently no methods available which allow the encryption process to be reversed. Paying the ransom the publishers of this malicious software are demanding does not guarantee the safe recovery of encrypted files.

REMOVING THE MALWARE

  1. Shutdown the infected computer immediately.

  2. On another computer, perform the following steps:

    1. Download SafeMSI from: http://download.cnet.com/SafeMSI-exe/3000-2094_4-75724774.html

    2. Download Malwarebytes from: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

    3. Copy the SafeMSI file and Malwarebytes file to a flashdrive.

  3. Boot the infected computer into Safe Mode using the instructions at: https://kb.wisc.edu/page.php?id=1565

  4. Run SafeMSI by double-clicking its icon.

  5. Install Malwarebytes using these instructions: http://go.wisc.edu/29c435

  6. Run a Full Scan with Malwarebytes using these instructions: http://go.wisc.edu/07z2xv

REFERENCES

(Sophos) http://go.wisc.edu/6wzx5h

(Bleeping Computer) http://go.wisc.edu/748o3s

(Malwarebytes) http://go.wisc.edu/ik9f37




Keywords:cryptolocker virus malware malicious software crypto encryption encrypt ransom   Doc ID:34368
Owner:Leah S.Group:DoIT Help Desk
Created:2013-10-10 16:04 CDTUpdated:2015-01-23 08:24 CDT
Sites:DoIT Help Desk, DoIT Staff, UW Platteville
Feedback:  0   0