Malicious Software - CryptoLocker

Over the last few days the DoIT Help Desk has received numerous reports of a particularly malicious piece of software named CryptoLocker. This infection is commonly contracted when visiting a website that has been compromised or opening a malicious email attachment.

DESCRIPTION

Once the software has compromised a computer it compiles a list of all files with the following file-extensions:

  • 3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx.

Each of these files is then encrypted and a record of this action is logged at the following location: HKCU\Software\CryptoLocker\Files.

It is at this point that many users begin to receive the following pop-up window explaining that files on the computer have been encrypted and they are being held for a ransom of $100/$300. The window will display when the computer is first booted and periodically during normal use.

Image of Cryptlocker Window

DISCLAIMER REGARDING ENCRYPTED FILES

Once CryptoLocker has encrypted a file on an infected computer that file becomes unusable. There are currently no methods available which allow the encryption process to be reversed. Paying the ransom the publishers of this malicious software are demanding does not guarantee the safe recovery of encrypted files.

REMOVING THE MALWARE

  1. Shutdown the infected computer immediately.

  2. On another computer, perform the following steps:

    1. Download SafeMSI from: http://download.cnet.com/SafeMSI-exe/3000-2094_4-75724774.html

    2. Copy the SafeMSI file to a flashdrive.

  3. Boot the infected computer into Safe Mode using the instructions at: https://kb.wisc.edu/page.php?id=1565

  4. Run SafeMSI by double-clicking its icon.

REFERENCES

(Sophos) http://go.wisc.edu/6wzx5h

(Bleeping Computer) http://go.wisc.edu/748o3s