Crypto-Locker: What to expect

Posted on Jun 28, 2016 in Security
Crypto-Locker: What to expect

There are two types of businesses, those that have been a victim of a cyber-attack and those that will be – it’s difficult to escape.

It is largely due to cyber-criminals finding new ways to by-pass mail filters, which increases the chance of getting their malicious email in front of you. They’re also getting much more professional in how they present their emails and are still highly successful in getting you to click on the link despite us all being much more aware.Panic it's the crypto-locker

It is estimated that the creators of the crypto-locker virus may have made up to $30 million in just 100 days, so their business model works.

There is plenty of information on what crypto-locker is and how to avoid it, but I’m going cover what you can expect if you get infected with Crypto, what it looks like and what to do.

What will it look like if it happens to you?

If you happen to mistakenly think a malicious link is legitimate and click it – a file will be downloaded and infect your computer with the crypto-locker virus. In some cases you’ll need to open the downloaded file for the malware to execute but often it’ll do this on its own.

You won’t necessarily have one of those intimidating screens appear on your computer telling you “we’ve infected your computer, so you might not notice there’s a problem immediately.

The first thing you’ll see is that all your file extensions have been changed from .docx, .xlsx, .pdf etc to now end in .encrypted or something similar. Basically rendering every single file on your computer as inaccessible and unusable.

What Cryptolocker looks like

Within that file directory you’ll also notice a .txt or an .html file (or both) – this is what you need to click on to get instructions on how to have your files unlocked.

What crytolocker looks like

Instructions may include how much to pay, usually in Bitcoin, and how to purchase your Bitcoin. The crypto-locker model is so sophisticated that there are support structures built around purchasing Bitcoin securely, including multiple payment options if you’re concerned about using your credit card – how thoughtful of them.

What to do when you first notice it

The first thing to do is disconnect your computer from the internet and sound the alarm to tell everyone in your business to shut down or disconnect. This will prevent the virus from spreading further into personal drives and locking files that aren’t on a shared server.

Then you should contact your IT support – the sooner the better. Best case scenario there is a recent back-up, which means you can recover a previous version of your file system to before your computer was infected, and avoid paying for the files to be unlocked. You may just loose a few hours of work.

Worse case – pay the ransom and have your files unlocked.

Resolve performs backups every 3 hours for our clients in multiple locations, this means recovery of files to a recent point in time is easily done.

We can also provide advice and strategy on avoiding these types of ‘phishing’ attacks, in particular to legal firms, so please don’t hesitate to contact someone from our team if you’d like to know more.