Today a law firm client called and mentioned they could no longer access Word Document, PDF Files and other network data. After chatting a bit they mentioned that a user saw a window called Crypto Locker which asked for money to restore access on the files.

As it turns out, CryptoLocker is a new really bad email attachment virus. It is being caught by most Anti-Virus software after you've become infected and files are encrypted. There is no cure, either pay the criminal or restore from backup.

Ransomware

The is a whole new chapter in the world of computer infections. The author of the application holds your files hostage. Pay up, or lose your files. Ransomware is what it's being called.

It sounds like if you elect to pay, most of that process is highly automated. They don't accept credit cards, they only take what some consider black market money, like Bitcoin. (MoneyPak, uKash and cashU) These services have no charge back capability, so the author gets their cash. The fees have been been $100 - $300, with some users reporting $700. They other catch is they give you 100 hours to decide whether or not to pay, then they delete the key they used to decrypt your data. At that point without a good backup you are done.

How to block it and others

There is a method to prevent at least the current version of CryptoLocker from running on the computer it gets put on. I've seen other malware this same tweak will prevent from running. FolishIt.com has built a tool to make the changes easy. Download it from their site. (Scroll to the bottom of the page and click the blue button.

I downloaded the Zip Version because the application is a single executable.

In the Zip there are 2 programs, CryptoPrevent is the tool.

Starting the program shows it's splash screen, Press OK

On the Next screen the proper options will be set, Click Apply

I applied the settings as the program defaults. The Block Temp Extracted Executables option is a good one to stop infections, but it interferes with Firefox and other programs that auto update from Temp folders.

The program will run for a few seconds

Then ask you to Reboot.

 

 

 

 

 

It has a nice set of options for automatic deployment.

 

 

 

What's it do

Read about what the program does at Bleeping Computer where they show how to do things like generate a list of files that have been encrypted, or you can look in HKCU\Software\CryptoLocker\Files, the list is there. They also cover the registry entries the tool adds, which prevent application from running from %AppData% root and a couple others. Other than the Temp options, they all look quite innocuous and will prevent other infections I've recently cleaned.

Are there issues

If you turn on the Temp file blocking, that will block some programs from updating or running properly. I know I've written software that needs to fire up a file in the Temp folder. That being said, disallowing executables from the Temp file folders will stop other malware , some run from Internet Explorers cache folders. Using the recommended settings the are potential issues with software where the author is running the program from a sub folder of %appdata%, the operating system will display an error that says "This program is blocked by group policy. For information, contact your system administrator" If that message shows up on a known good application, the app should be added to the white list using this tool.

Is it worth the risk.

Absolutely. There isn't that much software that would be affected by this modification, the risk of an errant click , without much thought on a bad attachment is far greater than running into a legitimate program that fails.