Cryptolocker Help

Cryptolocker Help

Ryan Shelley

26 June 2016

Cryptolocker Help – A form of Ransomware known as Cryptolocker has been infecting Australian businesses and individuals recently. A lot of clients and colleagues have been asking for cryptolocker help – mainly; how to prevent and how to fix an infection.

The Cryptolocker payload

Posing as an email from AGL with details of your current electricity bill – this email convincingly led unwary clickers to download an infected file from a fake and malicious website. Once the infected file was opened – all the user’s documents, photos, music – in fact nearly all their data – was irreversibly encrypted. Instructions were then displayed to the user with links and directions on how to pay a ransom to supposedly recover their files.

Cryptolocker is far reaching in its destruction. It detects and encrypts all your usual Word, Powerpoint and Excel files – as well as all your photos, videos and music which range from .JPG to .MOV to .MP3. It doesn’t stop there though. If your machine is connected to a network like most workplaces and homes – it will try to find and encrypt files on other computers that are connected to the same network. So if your business shares a folder with other users – that folder’s contents will be toast!

This b@$tard of a virus will also find folders and data that you have on a Server or Network Attached Storage (NAS) device. In short – if you can see a file or folder in Windows Explorer – Cryptolocker will find it and encrypt it!

Watch Your Drives

To kick you while you’re down – a cryptolocker can then even detect and encrypt external drives that you are diligently using for backups. So the drive connected to your PC, Server or NAS is encrypted too. Even if the external drive wasn’t found – there’s a strong chance your scheduled nightly backup will overwrite your clean files with the newly encrypted files.

Most businesses and individuals make use of cloud storage, synching and backups through popular tools such as Dropbox and Google Drive. The files on these cloud based services are also encrypted. Good news though – these files are typically recoverable. Read Fixing a Cryptolocker Infection below. 

It is typically only when a user sees the ransom that they reach out for Cryptolocker help.

Cryptolocker Help – Detection

A user typically doesn’t detect the presence of Cryptolocker until it is too late. Most popular anti-virus software suites also failed to detect and protect users. I am personally aware of multiple cases where mcaffee failed to protect users. This can be attributed to the delay between the Cryptolocker being released and the time taken for anti-virus companies to detect and update their databases to detect this new threat.

So sadly effective early detection doesn’t practically exist.

In this case, the best prevention so you don’t need to ask for cryptolocker help is double checking:

  • The email address of the sender – in this case, a non AGL email address.
  • The URL (address) of the website the email links you too – again a non-AGL web address.

Cryptolocker Help – Fixing an Infection

So you’re infected and you need cryptolocker help. More bad news. Once the files are encrypted – there is no practical way to decrypt and recover the files. Only backups can practically restore the data. You were making backups of your data weren’t you…?

Step 1 – Factory reset the infected machine

Yes, this may seem like overkill – but I for one am not taking chances with this thing. A factory restore provides an option to format your hard drive and re-install Windows from a typically hidden partition on your hard drive. This hidden partition has proved thus far to be safe from Cryptolocker.

What about an infected server or NAS?

Typically, the encrypted files don’t carry a payload. It is typically only the machine that was used to download and open the infected machine that carries the payload.

I would be extremely cautious though about the integrity of the server and NAS. At an absolute minimum – all devices should be scanned with Malwarebytes

Step 2 – Re-install your software

This typically involves re-installing software such as Office and re-connecting Outlook to your email provider. Hopefully you were using a cloud based email service such as Google Apps or Microsoft Office 365. If you had any other specialised software on your machine – you’ll need to re-install that too.

Step 3 – Restore your backups

From cloud based storage

Most individuals and businesses make use of cloud storage services such as Google Drive and Dropbox. Typically, once your files are encrypted – your local machine will innocently upload the encrypted files to your cloud storage service. After a support phone call or ticket – you will be able to get your cloud provider to roll back your data to just prior to the encryption attack.

After you’ve confirmed that your data in the cloud is decrypted – you can install and connect your client software (Google Drive / Dropbox) on your machine. Your machine will then begin to download the un-encrypted data.

From an external backup

Hopefully you’ve had an external backup that wasn’t connected to your machine(s) at the time of the attack. Depending on your methods of backup – this could be as easy as clicking and dragging files from your external hard drive back to your clean factory restored computer.

Lessons learnt while providing Cryptolocker help

We don’t enjoy providing cryptolocker help – we’d rather help your business grow than recover from near disaster. So here are our key takeaways.

Backup, backup, backup

Ideally you should:

  • Be making use of a cloud storage service such as Dropbox or Google Drive.
  • Also backup regularly to an external source. Importantly, make sure this external source is rotated regularly offsite or stored off line in a fire proof. This also adds protection against fire or theft.

Have a recovery plan

Discuss with your fellow stakeholders or your IT provider – in the event of a cryptolocker attack, theft, fire or other disaster – what would you do to get back online as quickly as possible? The quickest solution is typically:

  • Factory restore – or purchase new hardware (desktop, laptop etc.)
  • Install required software such as Microsoft Office and other software for your business – do you have copies of the install files and the required license keys on hand?
  • Restore backups from cloud services or external backups as described above.