2015 ended as the worst year for cybersecurity and 2016 promises to be even worse . There are two important factors that have determined the current situation, the first is the evolution of ransomware, from the classic "postal police virus" to the ruthless cryptolocker. The second factor is certainly linked to the success of Bitcoin , a virtual currency based on a mathematical algorithm widespread on the dark web, by virtue of the extreme difficulty (we can safely say impossibility) of tracking the exchanges. The extreme ease of creating a ransomware that encrypts the files of an infected PC together with the security of receiving a payment without being traced and arrested, has caused the phenomenon to explode.

Ransomware are not viruses , but very simple malware that make your device or the files it contains inaccessible. They do not even need to mask their presence to the user and for the diffusion it exploits its naivety. Precisely for this reason antivirus are in great difficulty.

Cryptolocker, like the most archaic "postal police virus", "catches" itself by clicking on an attachment in an email, usually it is a fake PDF file. This type of infection is historical and has existed since the dawn of time, on the one hand it exploits the ingenuity of users and on the other hand the fact that Windows hides the extensions of known files by default, thus naming a file with double extension for example: procedure_conferma_bonifico .PDF.exe and by setting the icon of a classic PDF document as the program icon, most careless users will mistake the program for a harmless PDF document. True, Windows will display a series of installation confirmation windows, but since these are seen by users as a nuisance, they will not notice bored and annoyed clicking "OK" to any question that the operating system and the 'ransomware installer will place.

In a certain sense, it is as if people were used to giving their house keys to various people they knew and in lost thought, they handed them over to the first stranger who asks for them. There is no security system capable of protecting a user from himself.

How to defend against Cryptolocker?

First of all, it is good to pay attention to any attachment present in emails and files downloaded from the Internet, even when the email received seems to have been sent by your contact. This is because the email could be sent from an infected PC without the user's knowledge or even simply fake. I happened to clean PCs of users who had become infected with a fake email that seemed to be sent by INPS.

Reading the email carefully is the first step, many are barbarously translated into Italian with google translator so always be wary of: " poste italiene informs you that you have sent a 500 euro bank transfer, press to cancel here " surely he is a Russian or Chinese cybercriminal . Unfortunately, thanks to the transactions in BitCoin, ransomware of Italian cybercriminals are running, therefore in impeccable Italian. What stopped the local criminals was precisely the fact that following the money, the police would sooner or later take it.

Keep your important data safe by making regular backups on an external drive, remembering however that cryptolocker and its variants are able to encrypt and therefore make even the files on external drives connected to the PC unusable, then finished saving the drive must be disconnected. Even documents saved on a cloud such as Dropbox and similar (with the exception of the subscription versions with file history) are not safe in case you go to install one of the cryptolocker variants in circulation by mistake. There are no problems between home systems any backups made on DVD and Blue Ray, as these are once burned accessible in read-only mode. At a company level, the best solution is always to consult a professional.

What to do if you get infected with Cryptolocker?

Shut down the infected PC immediately , preventing CryptoLocker from completing encryption of all files on your PC and on external devices and shared network drives. It will then be necessary to access the disks of the infected PC from another system to recover the files not yet encrypted by the ransomware. Operation that I recommend having a professional carry out who will also restore the PC.

Do not pay the ransom , you have no guarantee of receiving the key to decrypt the files, it could also have been lost to the same cybercriminal and sending it to you anyway exposes him to an additional risk, that once he has collected the money, no one forces him to run.

To recover files encrypted by cryptolocker? The hopes of recovering the encrypted files are almost zero (since 2016, the hopes of recovery have increased), especially with the latest versions of cryptolocker Unfortunately, the algorithm used by Cryptolocker is based on Aes 256-bit encryption which is particularly robust and therefore the probability of being able to decrypt the files without having the appropriate keys is quite remote. For the older versions, the cybersecurity experts at Fireeye and Fox-IT managed to recover the keys for decrypting the data and made them available for free. There are various online services based on DecryptCryptolocker that allow you to use this service, just send a file (choose one with no personal information) to receive the necessary material by e-mail. In most cases it will not be possible to recover them as there are different variants of the ransomware and new ones are created every day among the most popular: PrisonLocker, CryptoDefense, TorLocker and CryptoBit. While operating in a similar way to Cryptolocker they use different cryptographic keys.

To recover the data we have two possibilities :

  1. Try Kaspersky Ransomware Decryptor https://noransom.kaspersky.com) to decrypt some encrypted files, if the version that infected us is not very recent we have some chance of succeeding.
  2. If this is not possible the only alternative is to resort to a professional service in that case I recommend iRecovery ( https://www.irecoverydata.com ). They will ask to send HD and the various media tasks to their headquarters and after an analysis (shipping and analysis are free) they will provide a quote and it will be up to you to decide whether to try to recover the files or not.

Author: Loris Modena

SENIOR DEVELOPER

For Ind Loris Modena , owner of Arte e Informatica , he began working in the IT sector in 1989 as a system engineer in charge of the maintenance and installation of IT systems. He started programming for the web in 1997 dealing with CGI programming in PERL and then moving on to programming in PHP and JavaScript. In this period he approaches the Open source world and the management of Linux servers.

Product added to wishlist