No other virus has caused greater concern or frustration as the encrypting ransomware virus known around the helpdesk as the crypto virus or its original name, CryptoLocker. In the many years of JustFixIt’s history, there has never been such an aggressive or widespread infection. For a while it seemed like every week or so, the entire desk would feel that sinking feeling when it became obvious that another client had become infected with the damaging virus.
Our first brush with the crypto virus was with its first iteration, CryptoLocker, way back in early November of 2013. What originally began as a simple restoration of corrupted files turned out to be a much bigger problem.
The virus itself is lightweight and easy to hide, which makes it possible to hide within innocuous looking email messages – often, it’s disguised as a harmless looking document. When run, it immediately scans the system and begins encrypting them with a 2048-bit key. Any document which the infected user has write access to is quickly encrypted, typically in alphabetical order, including any document found within mapped network drives.
Spotting Cryptolocker is pretty easy, as it proudly announces its presence. Within every folder it encrypts, it leaves a collection of files that gives instructions that demand (at the time) $400 to be provided in pre-paid vouchers or the popular cryptocurrency, Bitcoin. Virus scanners were quickly equipped to detect and contain the virus, but detection was typically not possible until the encryption was underway and the damage was already done.
CryptoLocker was finally contained and shut down on the 2nd of June 2014 in the collaborative international “Operation Tovar”. The source of the virus was tracked down to Evgeniy Bogachev, who was charged as the ringleader of the hacker gang that created the virus and the botnet that distributed it. It’s estimated that whole operation scammed about $3 million in ransom.
Perhaps the most insidious iteration of the CryptoLocker arrived late in September 2014. This time distributed through an internet ad network that redirected to rogue websites. Cryptowall itself went through numerous versions, which included such features as the ability to delete Windows built-in volume shadowcopy backups and install password and bitcoin thieving spyware programs. The most recent known version is 4.0, which has reworked code that helps it further avoid anti-virus programs and not only encrypts the file’s data, but also the filename.
Cryptowall viruses are still actively being developed, and an estimated $18 Million USD has been paid out in ransom thus far.
Other copycats, such as the TorrentLocker, have appeared in the wake of CryptoLocker, each providing their own twists and complications. While a lot of efforts have been made to prevent outbreaks, new infections continually pop up all the time and show no signs of slowing up.
HOW TO PROTECT YOUR FILES
Unfortunately, due to the reactive nature of the anti-virus industry, most protection programs are useless against the aggressive and constantly evolving crypto viruses. Some specialists are even announcing this to be the beginning of the end for anti-virus software. This statement may be exceedingly alarmist, especially since a good security program is essential for actually locating and removing the infection. However, the message does contain some truth: it takes more protection than even the most robust ant-virus can provide to guard against encryption viruses.
The good news is that surviving an infection is simple. All it takes is a reliable backup system that runs regularly. As long as all your important files are backed up to a secure location (preferably one located off-site), any encrypted files can simply be restored to their previous state, which eliminates the need for paying ransom.
If you want to avoid the headache of dealing with any downtime caused by the virus, then the only option is to always be vigilant. Be careful when opening attachments and avoid clicking on any advertisements that appear on websites, as they can often lead to compromised sites. A degree of caution can go a long way to avoiding infection altogether.