It finally happened, I saw my first case of a CryptoLocker variant on one of my users laptops. If you are not familiar with it, Wikipedia describes it as:
...a ransomware trojan which targeted computers running Microsoft Windows, believed to have first been posted to the Internet on 5 September 2013. CryptoLocker propagated via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displays a message which offers to decrypt the data if a payment (through either bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin.
Although CryptoLocker itself is readily removed, files remained encrypted in a way which researchers considered infeasible to break. Many said that the ransom should not be paid, but did not offer any way to recover files; others said that paying the ransom was the only way to recover files that had not been backed up. Some victims claimed that paying the ransom did not always lead to the files being decrypted.
The attacker's goal here is to have you pay a ransom to get your files back. It is estimated that 41% of people first hit by it paid the money to get their files back. That is ridiculous! The only thing you really need is a decent backup to get your files back.
Sure, you can use something like CrashPlan to backup your files to the cloud, but if you don't want to pay money for backups, and have a local NAS device or a USB drive you can use the built in File History tool to create backups of your files. To turn it on:
- Click Start, Click Search and search for File History
- Click the button to turn it on.
ShadowExplorer allows you to browse the Shadow Copies created by the Windows Vista / 7 / 8 Volume Shadow Copy Service. It's especially [made] for users of the home editions, who don't have access to the shadow copies by default, but it's also useful for users of the other editions.This is my preferred method as it acts just like the old Shadow Copy feature in previous version of windows and saves changes to files periodically so you can restore to previous versions. Plus it doesn't take up a lot of disk space. Not to mention that if you have laptop users that travel a lot, their local files can still be recovered.
With these two methods, you can recover files that were encrypted by RansomWare, and you won't have to pay those criminals one red cent!