Resurgence of a Crypto Locker Variant

We are informing all our clients that we have seen a resurgence of a very dangerous virus variant to the Crypto Locker, which destroys computer data, programs, and files quickly. Rebuilding and restoration from backup is often the only alternative once you are infected. Please inform your employees to be especially vigilant. The virus bypasses AV scans by enticing and tricking the recipient to click on the infected object, and then moves with devastating speed to do its business. The description below provides more detail in what to look for to avoid getting infected.

Description:

Essentially once this virus is on one of your computers it begins encrypting your personal files. We know for sure it encrypts Microsoft Office documents, Access database files, and many others. Once it’s on your local computer it begins searching any connected drives, including mapped network drives leading to your servers, for any file type it recognizes and encrypts them. Once encrypted there is no way to access the file or decrypt it. Usually at this point a window or files with instructions will appear saying you have 72 hours to pay $100-300 to get the key to decrypt the files. There have been reports of people paying the ransom and actually getting the key, which allowed them to successfully decrypt the files, but not everyone received the right key or had anything happen at all after paying the ransom. Once the 72 hours is up, there is no chance of getting the key to decrypt the files.

Prevention:

There are 2 important parts to protecting yourself from this virus:

1. Knowing how it infects you

There are a few different ways this virus can infect your computer. The most common is by opening phishing emails disguised to look legitimate. These emails appear to be from UPS, Fedex, DHS, etc. Best practice is to never open emails or attachments you didn’t request and be skeptical of everything. Another common way people get infected is by visiting and downloading files from questionable sites. It’s always best to stick to reputable websites and never download anything unless you know what it is and trust the website. If you ever have an uneasy feeling about downloading something, don’t.

2. Backups, Backups, Backups

Once the files are encrypted there are only a couple actions we can take. Either pay the ransom (and hope they will decrypt it, which is unlikely) or restore from a backup. Restoring from a backup is the only 100% effective method to recover all encrypted files, however this doesn’t help if there are no recent backups. So check your backups and check them often!

If you have any questions call our office at 563-441-1504 and we’d be happy to answer them.

Thank you,

Twin State Technical Services Team

Tags: ,