CryptoLocker – An MSP Guide

Scott Calonico

cryptolocker imageHave you heard of the CryptoLocker virus yet? If not, you may well find it on a user’s PC in the coming weeks.

CryptoLocker is a Trojan that finds its way onto machines when users inadvertently open an infected attachment.

The writers of CryptoLocker have sneakily changed the threat’s icon to make it appear like a PDF file, increasing the chances of people being fooled into opening it. Cynics may feel inclined to say that users need little encouragement to open suspicious files anyway!

What Exactly is CryptoLocker?

CryptoLocker falls firmly into the category of “ransomware.” Ransomware typically robs you of functionality or locks down your machine until you pay to restore the PC to its former glory. This is essentially what CryptoLocker does, but there’s an additional “sting in the tail.”

Put simply, CryptoLocker encrypts files. It aims specifically for data files such as those created in Microsoft Office or AutoCAD. It encrypts local files and those on mapped network drives.

So, while it’s possible for a technician to remove the Trojan, CryptoLocker isn’t like a fake antivirus product or a counterfeit legal enforcement screen. Yes, you can remove the virus itself, but you’re still stuck with a bunch of encrypted files that only the CryptoLocker people can give you back.

Typically. CryptoLocker asks for $300 or €300 initially, but can sometimes ask for significantly more if users have ignored initial requests for the money.

What can you do?

As an MSP, it’s your duty to warn clients about CryptoLocker.

The cyber criminals behind the virus have been rather smart with their timing: With the holiday season approaching, they know plenty of people will be receiving delivery notifications for gifts, so they’ve resorted to the age-old tactic of hiding the Trojan in courier notification emails. Less experienced computer users seem to fall for this quite consistently.

If the virus slips past both human and technical defenses, the hackers controlling CryptoLocker are onto a winner if they encrypt files belonging to people who don’t have a backup. The only way to get back encrypted files that haven’t been backed up is to pay the criminals to “unlock” them. As the criminals insist on anonymous payment methods, they could continue to get away with their scam for quite some time.

An Ounce of Prevention

Obviously people with good backups are in a rather better position, as they can restore the files they have lost access to once the virus is removed.

It’s worth finding a “prevention tool” for CryptoLocker and discussing with your clients the benefits of installing it on all of their machines. There are plenty of appropriate antivirus and malware tools online, most of which prevent the execution of files with “double extensions,” such as the “.PDF.ZIP” used by CryptoLocker.

One thing’s for sure: you’re probably going to find that a few clients get themselves infected with CryptoLocker. Let’s hope they’ve been keeping on top of their backups. Advising customers that their best strategy is to hand over money to anonymous criminals is never going to sound good.