{"id":504,"date":"2013-10-26T10:22:25","date_gmt":"2013-10-26T14:22:25","guid":{"rendered":"http:\/\/templesystems.com\/?page_id=504"},"modified":"2013-10-26T10:25:54","modified_gmt":"2013-10-26T14:25:54","slug":"cryptolocker","status":"publish","type":"page","link":"https:\/\/templesystems.com\/?page_id=504","title":{"rendered":"Cryptolocker"},"content":{"rendered":"

This is from windowssecrets.com:<\/strong><\/p>\n

 <\/p>\n

CryptoLocker: A particularly pernicious virus<\/span>\"SusanBy Susan Bradley<\/p>\n

Online attackers are using encryption to lock up our files and demand a ransom \u2014 and AV software probably won’t protect you.<\/span><\/p>\n

Here are ways to defend yourself from CryptoLocker \u2014 pass this information along to friends, family, and business associates.<\/span><\/p>\n

Forgive me if I sound a bit like those bogus virus warnings proclaiming, “You have the worst virus ever!!” But there’s a new threat to our data that we need to take seriously. It’s already hit many consumers and small businesses. Called CryptoLocker, this infection shows up in two ways.<\/span><\/p>\n

First, you see a red banner (see Figure 1) on your computer system, warning that your files are now\u00a0encrypted<\/em>\u2014 and if you send money to a given email address, access to your files will be restored to you.<\/span><\/p>\n

\"CryptoLockerFigure 1. CryptoLocker is not making idle threats.<\/span><\/div>\n

The other sign you’ve been hit: you can no longer open Office files, database files, and most other common documents on your system. When you try to do so, you get another warning, such as “Excel cannot open the file [filename] because the file format or file extension is not valid,” as stated on a TechNet MS Excel Support Teamblog<\/a>.<\/span><\/p>\n

As noted in a Reddit\u00a0comment<\/a>, CryptoLocker goes after dozens of file types such as\u00a0.doc, .xls, .ppt, .pst, .dwg, .rtf, .dbf, .psd, .raw, and .pdf.<\/span><\/p>\n

CryptoLocker attacks typically come in three ways:<\/span><\/p>\n

1)\u00a0Via an email attachment. For example, you receive an email from a shipping company you do business with. Attached to the email is a\u00a0.zip\u00a0file. Opening the attachment launches a virus that finds and encrypts all files you have access to \u2014 including those located on any attached drives or mapped network drives.<\/span><\/p>\n

2)\u00a0You browse a malicious website that exploits vulnerabilities in an out-of-date version of Java.<\/span><\/p>\n

3)\u00a0Most recently, you’re tricked into downloading a malicious video driver or codec file.<\/span><\/p>\n

There are no patches to undo CryptoLocker and, as yet, there’s no clean-up tool \u2014 the only sure way to get your files back is to restore them from a backup.<\/span><\/p>\n

Some users have paid the ransom and, surprisingly, were given the keys to their data. (Not completely surprising; returning encrypted files to their owners might encourage others to pay the ransom.) This is, obviously, a risky option. But if it’s the only way you\u00a0might<\/em>\u00a0get your data restored, use a\u00a0prepaid debit card<\/em>\u00a0\u2014 not your personal credit card. You don’t want to add the insult of identity theft to the injury of data loss.<\/span><\/p>\n

In this case, your best defense is prevention<\/span><\/div>\n

Keep in mind that antivirus software probably won’t prevent a CryptoLocker infection. In every case I’m aware of, the PC owner had an up-to-date AV application installed. Moreover, running Windows without admin rights does not stop or limit this virus. It uses social engineering techniques \u2014 and a good bit of fear, uncertainty, and doubt \u2014 to trick users into clicking a malicious download or opening a bogus attachment.<\/span><\/p>\n

Your best prevention is two-fold:<\/span><\/p>\n

1) Basic method:\u00a0Ensure you keep complete and recent backups of your system. Making an image backup once or twice a year isn’t much protection. Given the size of today’s hard drives on standalone PCs, an external USB hard drive is still your best backup option. A 1TB drive is relatively cheap; you can get 3TB drives for under U.S. $200. For multiple PCs on a single local-area network, consider Michael Lasky’s recommendations in the Oct. 10 Best Hardware\u00a0article<\/a>, “External hard drives take on cloud storage.”<\/span><\/p>\n

Small businesses with networked PCs should have automated workstation backups enabled, in addition to server backups. At my office, I use Backup Box by Gramps’\u00a0Windows Storage Server 2008 R2 Essentials(site<\/a>). It lets me join the backup server to my office domain and back up all workstations. I run the backups during the day, while others in the office are using their machines \u2014 and I’ve had no complaints of noticeable drops in workstation performance.<\/span><\/p>\n

The upcoming release of Windows Server 2012 R2 Essentials (site<\/a>) will also include easy-to-use, workstation-backup capabilities. Recently\u00a0announced<\/a>\u00a0Western Digital drives will also act as both file-storage servers and workstation-backup devices.<\/span><\/p>\n

2) The advanced method:\u00a0If you have Windows Professional or higher, you can tweak your systems to protect them against CryptoLocker. You’ll want to thoroughly test the impact of the settings changes detailed below \u2014 and be prepared to roll back to your original settings if needed. (After making some of these changes, you might not be able to install or update some applications.)<\/span><\/p>\n

All business and Pro versions of Windows include the ability to prevent certain types of software from launching from specific locations. CryptoLocker launches from a specific location and in a specific way (well, for now). By implementing Windows’ Software Restriction Policies rules, we can block CryptoLocker from launching its payload in your computer.<\/span><\/p>\n

Software Restriction Policies (more info<\/a>) were first introduced in Windows XP and Server 2003. In a domain setting, you can use\u00a0Group Policy\u00a0to set up these restrictions or rules; on standalone machines, you can useLocal Security Policy.\u00a0(Windows Home Premium doesn’t support Group or Local policies, so none of the following settings changes is supported.)<\/span><\/p>\n

Again, be sure you test these settings changes on a single workstation first before rolling them out to other systems. Also, take the extra step of\u00a0undoing<\/em>\u00a0the changes and checking whether the test system still runs as expected. Most important: Back up\u00a0all<\/em>\u00a0systems before making the changes.<\/span><\/p>\n

To make the changes, click Start\/Control Panel\/Administrative Tools. Click Local Security Policy and locate Software Restriction Policies under the Security Settings heading. Right-click it and select\u00a0New Software Restriction Policies.\u00a0Right-click Additional Rules and select\u00a0New Path Rule\u00a0to open the new-rule dialog box shown in Figure 2.<\/span><\/p>\n

\"NewFigure 2. Creating a new path rule to block CryptoLocker<\/span><\/div>\n

The following rules block applications such as CryptoLocker from running in the defined locations. For example, the first set of rules applies to the specific user folder\u00a0%Appdata%,\u00a0which equates to\u00a0user\\{yourusername}\\appdata\\roaming.<\/span><\/p>\n

Enter the following sets of Path, Security Level, and Description information as separate rules:<\/span><\/p>\n

For Windows XP<\/em>,\u00a0enter the following:<\/span><\/p>\n