IMT Security Office Alert - CryptoLocker

posted Nov 10, 2013, 11:08 AM by Shawn Kohrman   [ updated Nov 12, 2013, 11:45 AM ]
The ransomware variant known as CryptoLocker is a particularly nasty bit of malware that is taking the Internet by storm.  Its use of sound cryptographic practices combined with an ingenious method of extortion to make it an exceptionally potent and dangerous package.

How to Avoid CryptoLocker

Azusa Pacific University has several layers of protection in place to help detect and prevent malware of all kinds.  While these are generally very effective, the CryptoLocker malware has the ability to circumvent these controls if you unknowingly execute an infected file or click on a malicious link in an email.

CryptoLocker is most often spread through booby-trapped email attachments, but the malware also can be deployed by hacked and malicious web sites by exploiting outdated browser plugins.

Tips for avoiding these malicious email attachments, malicious websites, and more are available on this site here and here.  Additional information is made available via US-CERT (United States Computer Emergency Readiness Team) here.

Backup Your Computer

Having good backups of the data on your computer is the fastest and most reliable way to recover from any malware--this is especially true with CryptoLocker.  If you are using a good backup system, chances are, you'll be able to recover from CryptoLocker with very little impact.

Personal Computers
There are a number of good computer backup solutions available at a very reasonable price.  These solutions have been evaluated by IMT and, while not officially recommended, are known to be effective.

If you believe you have the CryptoLocker malware on your personal computer, contact the IMT Support Desk immediately.  

APU Owned Equipment

The main campus file server is backed up on a regular basis.  We strongly recommend that you store your critical work files on your "L" and "M" drives to ensure recovery if your machine(s) become infected.  Google Drive also provides revisions for native Google files.  However, non-native files (Word, Excel, and Powerpoint) may not have revision history.

If you believe that you have the CryptoLocker malware on your APU owned machine, contact the IMT Support Desk immediately.

Help! CryptoLocker Is On My Computer

If your machine has been infected with the CryptoLocker malware, you have only a few feasible options.  Since CrytpoLocker encrypts everything it can find on your local hard drive, your Dropbox,, SkyDrive, Google Drive, etc., having good backups is the best recovery option available.

Restore Your Backup

Personal Computers

If you have used one of the recommended backup solutions or have a backup solution of your own, there are two keys steps to recovering from CryptoLocker.
  1. Use the factory restore CD/DVDs that came with your computer to recover your machine to its original state.
  2. Restore your files using the backup solution you have chosen.

APU Owned Equipment

If you believe that you have the CryptoLocker malware on your APU owned machine, contact the IMT Support Desk immediately.

Pay the Ransom
If you don't have any backups of your work, and the files that have been encrypted by CryptoLocker are critical, you may want to consider paying the ransom. While this is ideologically offensive to most, there have been numerous reports of individuals who have paid the ransom and successfully recovered their files.

Before you consider paying the ransom, please contact the IMT Support Desk first. We will help you determine the best course of action for recovering your data. 

Other Resources 

There is a growing number of resources on the web dealing with CryptoLocker. Here are some sites that can provide additional accurate information.

Malwarebytes: Cryptolocker Ransomware: What you need to know.

Naked Security (Sophos): Destructive malware Cryptolocker on the loose.

Reddit thread: Proper care and feeding of your Cryptolocker Cryptolocker is the nastiest malware ever and here’s what you can do

Ars Technica: You’re infected — if you want to see your data again, pay us $300 in Bitcoins