How to Avoid Getting the Crypto Locker Virus
It was a quiet Friday morning, when I got into the Cloud BT office. It was a beautiful day, the sun was out and the birds were chirping. I was merrily having my coffee and looking forward to the weekend. It was going to be just like any other day. As I was checking my emails however, my phone rang. It was a client. “Hi Cristian, I’ve logged into my computer and all the data in our network drives are encrypted and we can’t access any of the files”. Suddenly what looked like a beautiful quiet Friday morning was about to turn into a battlefield of technical proportions.
The client had fallen victim to a nasty ransomware virus that goes by the name of Crypto Locker. As of September last year over 20,000 computers in Australia have been infected (http://www.theage.com.au/it-pro/security-it/fake-speeding-fines-make-cryptolocker-lock-up-australian-files-20141030-11egcy.html).
What is Ransomware?
Ransomware is a particular type of computer virus that blocks a user’s access to services or files within a computer until money is paid to unblock that access. In the case of Crypto Locker, the virus encrypts all of the victim’s data and makes it impossible to decrypt. The ransom ranges from $500 to $1,800 dollars in order to decrypt the data.
There are multiple variants of Crypto Locker; in earlier versions it was relatively easy to decrypt the data if you had a copy of a file prior to it becoming decrypted. However the makers of the virus have since made the decryption process more complex making it virtually impossible to decrypt without the encryption key.
How the Virus Works
One of the most common ways that this virus is propagated across is through the use of download pages that imitate legitimate businesses and government websites.
As an example, victims can receive an email informing them that they have an “Infringement Notice” for speeding and are provided with a link where they are directed to pay the fine.
The virus maker has registered fake website addresses that are meant to look legitimate. One of the more common ones I have seen is a fake version of the Office of State Revenue website.
Upon loading the website, they are asked to enter a Captcha code on the screen in order to download the notice.
Once downloaded and opened, the virus unloads itself and starts to encrypt files and folders on the victim’s computer. It will also encrypt files in network folders that the infected computer has access to, and puts a ransom note on all the directories where files are encrypted. It then sends the decryption key to a remote server.
Here’s what the ransom note looks like:
How to Avoid Getting Infected and Seeing the Signs
1 – The Email Address
The first sign that this is not a legitimate email is that the Office of State Revenue will not email you in regards to a penalty notice.
Also this email is generic, it does not address you by your first or last name.
Another sign this email address is not from the government is the domain name. Notice the domain “notice-nsw-gov.net”. This is not a government domain – all Australian government organisation websites carry the “gov.au” domain.
2 – The Email Links
Hovering your mouse over a link will reveal its web address. In the case of this email, when you hover your mouse on either link you will notice neither of them take you to the State Debt Recovery website.
3 – The Website
If you do click the link you will be taken to the fake website. Below there are two websites, the real legitimate website and the fake website. Both look relatively similar, there are however some tell-tale signs.
The second sign that this is not a legitimate website is the requirement to enter a captcha code on the fake website. The Office of State Revenue will not ask you for a captcha code.
The third hint is the web address. The real State office of Recovery website is www.sdro.nsw.gov.au
The real Office of State Revenue website is a government website and you can see that in the above web address, there is a “gov.au” domain. The “gov.au” domain can only be registered by Australian government bodies.
When you look at the fake website, notice that the “gov.au” is not in the web address. The virus maker has tried to make the website look like a government website by calling it “nsw-gov.net” but the one thing he cannot fake is the domain type which is “.net”
No government body would use a “.net” domain. This is a clear sign that the website is a fake.
4 – The Download
If you enter the Captcha code, it will open up a dialog box for you to download. However if you look at the file you are downloading and the source, you will see that it is from Mediafire.com (a file hosting website). The State Debt Recovery would never use Mediafire.com as its hosting service, especially when it comes to keeping copies of penalties.
Once downloaded you will notice that the file is actually an “.exe” file or an executable with a random name. This is in fact an application file, you will notice it says “Application” underneath the “Type” field. If you open the file, you will unleash the CryptoLocker virus, and the next thing you will see is a ransom note.
5 – How To Bring Back Your Files.
The best advice for dealing with Crypto Locker and saving your files from encryption is prevention. Avoid clicking on suspicious links and emails. But if you are at the point where you are looking at a ransom note, the best chance of success for retrieving your files comes from the result of a solid back up policy.
The success we’ve had at Cloud BT in retrieving lost files comes from a good backup. You would be surprised how often companies, small businesses and individuals do not have a backup plan of any kind. Having a policy that is actively monitored, reviewed and updated is key but not just simply for Crypto Locker. There are a variety of reasons why you might need a backup policy. Your backup is an insurance policy against damage to your PC; it could be stolen, your workplace might be struck by a natural disaster or you might even spill your coffee all over it. The point is that the risk of not taking precautions outweighs the price of being safe with the data that is needed to effectively run your business.
6 – Conclusion
Encounters with Crypto Locker are occurring everyday making it important for everybody in the online community to be informed and aware of how to prevent and combat Ransomware. But also remember that if you haven’t already, it is never too late to protect yourself and implement a solid back up policy. Please don’t hesitate to share this information with work colleagues and friends. It is essential to protect your data from encryption and be aware of potential risks.