Cryptolocker help

Cryptolocker Help

Cryptolocker Help – A form of Ransomware known as Cryptolockerhas been infecting Australian businesses and individuals recently. A lot of clients and colleagues have been asking for cryptolocker help – mainly; how to prevent and how to fix and infection.

Cryptolocker Help
A screenshot of the convincing email. Supposedly from “AGL Energy” – but note the actual email address in this case was definitely not an AGL email account.

Posing as an email from AGL  with details of your current electricity bill – this email convincingly led unwary clickers to download and infected file from a fake an malicious website. Once the infected file was opened – all the users documents, photos, music – in fact nearly all their data – was irreversibly encrypted. Instructions were then displayed to the user with links and directions on how to pay a ransom to supposedly recover their files.


The Cryptolocker payload

Cryptolocker is also far reaching in its destruction. It will detect and encrypt all your usual Word, Powerpoint and Excel files – as well as all your photos, videos and music which range from .JPG to .MOV to .MP3. It doesn’t stop their though. If your machine is connected to a network like most workplaces and homes – it will try to find and encrypt files on other computers that are connected to the same network. So if your business shares a folder with other users – that folders contents will be toast!

This b@$tard of a virus will also find folders and data that you may have on a Server or Network Attached Storage (NAS) device. In short – if you can see a file or folder in Windows Explorer – Cryptolocker will find it and encrypt it!

Cryptolocker help
A copy of the ransom message seen once the users files have been encrypted.

To kick you while you’re down – a cryptolocker can then even detect and encrypt external drives that you may be diligently using for backups. So the drive connected to your PC, Server or NAS will likely be encrypted too. Even if the external drive wasn’t found – theres a strong chance your scheduled nightly backup would overwrite your clean files with the newly encrypted files.

Most businesses and individuals make use of cloud storage, synching and backups through popular tools such as Dropbox and Google Drive. The files on these cloud based services are also encrypted. Good news though – these files are typically recoverable. Read Fixing a Cryptolocker Infection below. 

It is typically only when a user has seen the ransom – that they reach out for Cryptolocker help.


Detection of Cryptolocker

A user typically doesn’t detect the presence of Cryptolocker until it is too late. Most popular Anti-Virus software suites also failed to detect and protect users. I am personally aware of multiple cases where mcaffe failed to protect users. This can be attributed to the delay between the Cryptolocker being released and the time taken for anti-virus companies to detect and update their databases to detect this new threat.

So sadly – effective early detection doesn’t practically exist.

In this case – the best prevention so you don’t need to ask for cryptolocker help – is double checking:

  • The email address of the sender – in this case, a non AGL email address.
  • The URL (address) of the website the email links you too – again a non AGL web address.


Fixing a Cryptolocker Infection

So you’re infected and you know you need cryptolocker help. More bad news. Once the files are encrypted – there is no practical way to un-encrypt and recover the files. The data can only practically be restored from backups. You were making backups of your data weren’t you…?


Step 1 – Factory reset the infected machine

Yes, this may seem like overkill – but I for one am not taking chances with this thing. A factory restore provides an option to format your hard drive and re-install Windows from a typically hidden partition on your hard drive. This hidden partition has proved thus far to be safe from Cryptolocker.

What about an infected server or NAS?

Typically, the encrypted files don’t carry a payload. It is typically only the machine that was used to download and open the infected machine that carries the payload.

I would be extremely cautious though about the integrity of the server and NAS. At an absolute minimum – all devices should be scanned with Malwarebytes


Step 2 – Re-install your software

This typically involves re-installing software such as Office and re-connecting Outlook to your email provider. Hopefully you were using a cloud based email service such as Google Apps or Microsoft Office 365. If you had any other specialised software on your machine – you’ll need to re-install that too.


Step 3 – Restore your backups

From cloud based storage

Most individuals and businesses make use of cloud storage services such as Google Drive and Dropbox. Typically, once your files are encrypted – your local machine will innocently upload the encrypted files to your cloud storage service. After a support phone call or ticket – you will be able to get your cloud provider to roll back your data to just prior to the encryption attack.

After you’ve confirmed that your data in the cloud is un-encrypted – you can install and connect your client software (Google Drive / Dropbox) on your machine. Your machine will then begin to download the un-encrypted data.

From an external backup

Hopefully you’ve had an external backup that wasn’t connected to your machine(s) at the time of the attack. Depending on your methods of backup – this could be as eassy as clicking and dragging files from your external hard drive back to your clean factory restored computer.


Lessons learnt while providing Cryptolocker help

We don’t enjoy providing cryptolocker help – we’d rather help your business grow than recover from near disaster. So here are our key takeaways.

Backup, backup, backup

Ideally you should:

  • Be making use of a cloud storage service such as Dropbox or Google Drive.
  • Also backup regularly to an external source. Importantly, make sure this external source is rotated regularly offsite or stored off line in a fire proof. This also adds protection against fir or theft.


Have a recovery plan

Discuss with your fellow stakeholders or your IT provider – in the event of a cryptolocker attack, theft, fire or other disaster – what would you do to get back online as quickly as possible? The quickest solution is typically:

  • Factory restore – or purchase new hardware (desktop, laptop etc.)
  • Install required software such as Microsoft Office and other software for your business – do you have copies of the install files and the required license keys on hand?
  • Restore backups from cloud services or external backups as described above.

Share your thoughts