Sign in with
Sign up | Sign in

CryptoLocker is on a temporary pause - Clean up before they're up and running again!

Quick intro
News has broke out that you are safe from CryptoLocker's ransomware but only for 2 weeks from today (02/06/14 - DD/MM/YY) so I thought I'd take a bit of time to write a tutorial about what it is and does and how to get rid of it before it attacks your data if you've been infected, and furthermore how to protect your computer from it entering your system.
Read more here
and more detailed here and here

I'll add in spoilers to keep it as tidy as possible and so you can skip a section if you just want to get down to business.

So what is CryptoLocker?
Spoiler
As may already know, CryptoLocker is known as ransomware, but this isn't just any normal ransomware since most can just be cleared up with an antivirus, but CryptoLocker encrypts your data such as pictures and document rendering them useless and will hold them to ransom. Pretty dirty work right? Well I'd like to help you to get rid of it for good and stop it from returning.

The file types you can expect to be encrypted, but not limited to are listed below:
3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx.


How do I know if I'm infected?
Spoiler
It's not always obvious if you're infected with any type of malware, the coders are forever coding them in smarter ways than previously. But with CryptoLocker, it's most commonly introduced into your system via an attachment in a phishing email with a double extension (or file type), of course the last one is the actual extension but by default in Windows XP through to Windows 7 (and possibly 8), file extensions for known file types is hidden and with ".exe" being a known file type, you don't see it so you may easily be fooled by seeing a common ".pdf" extension.

After executing the file, it will disappear although it's still running in the background and can be seen in task manager, what is actually happening is the program is contacting "home" being the criminals servers and requesting a public key which is then used to encrypt your personal data (see how it works here) such as pictures and documents. After doing so it will then change your background and reveal itself looking like this image below:


An image of what CryptoLocker looks like can be found here
Courtesy of Sophos Security

You can also watch a video of CryptoLocker in action on YouTube.

How to find it and get rid of it and protect from it
So with the details of how these dirty crooks work over, lets get going on cleaning up shall we?
If you are already infected, I suggest that you do not pay the ransom since you are fueling them with what they wanted, and there's no say to if you'll even get your files back, remember these are dirty crooks we're dealing with after all.

Step 1
Get some antivirus on your system, even if you already have one, a second opinion is never bad. I suggest downloading Malwarebytes Anti-Malware installing and immediately running a scan, it will most likely pick up other PUP software you may have etc... But you'll know if its CryptoLocker that's been picked up as it's displayed as "Trojan.Ransom". Remove the all the files unless you know what some of them are as false positives can occur. Malwarebytes works fine along existing antivirus so you can keep the free version. Just remember to scan regularly, I do suggest buying their PRO version as it is really good and has always picked up threats the fastest out of all other software I've used, it also stops you from visiting malicious websites, has realtime scanning to actively block threats and scan schedules.

Step 2
If you have been infected, try opening some of your files, you maybe lucky and escaped before being attacked. If some don't open that did before or word/text documents look like a load of gibberish then I'm sorry but there's currently nothing you can do about it due to the nature of the type of encryption used, more about asymmetric cryptography here. I can only suggest restoring from backups, you could however store the scrambled files in a safe are incase a method of decrypting them does become avalible, but this is quite unlikely.

Step 3
Yeah that's right, you know what's coming... BACKUP your data, there's a built in function in Windows to do this. To learn more on how to use Windows Backup, click here. Backup regularly, I tend to daily, and if your backing up to removable media such as an external hard drive then I suggest removing the drive after the backup is done so that if CryptoLocker did gain access to your system it doesn't encrypt your backups too.

Step 4
Sit back, and relax. You are now protected from several variants of the CryptoLocker ransomware. And don't forget friends and family too, make sure they are protected and send them this guide. It's thought that the crooks will have more servers up and running by Monday 16th May to keep their operations going, so even if you didn't read this entire thread, at least download the one off scan tool from Sophos and run a scan.

If there's improvements you believe I could make to this please let me know. Thanks
Can't find your answer ? Ask !