CDU Information on CryptoLocker Virus

Overview

CryptoLocker is a special type of malware called ransomware that encrypts certain files on Windows computers.

This encryption means the files cannot be opened until they are decrypted.  Once it has finished encrypting your files, it displays a payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This program will also display a timer stating that you have 72 hours, or 3 days , to pay the ransom or you will not have any way to decrypt your files.

It is not possible to decrypt files affected by CryptoLocker by any other means than paying the ransom.

Cryptolocker screeshot

How do you become infected?

This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails contain a zip attachment that when opened infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.

What files does it affect?

CryptoLocker can affect any files you have access to. This includes local drives on your computer, USB keys or external hard drives plugged into your computer , as well as any mapped network shares.

It currently affects all files with the following extensions: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.

How does this affect CDU?

There is currently no sure way to stop CryptoLocker from infecting your computer if you open these email attachments. The best way to stop this virus is to delete these emails without opening the file.

If your files have been affected, you will need to recover all files from backup.

At CDU we backup all corporate file shares so in the case of an infection we are able to recover any affected files.

However, files stored on your local PC are not backed up. If you have any important work related information stored locally, you are advised to move these files to the corporate file shares as soon as possible.

If you do get infected by CryptoLocker, you are advised to contact ITMS immediately.

ITMS Contact details:

  • T.  08 8946 6600
  • W. LogIT
  • Or visit us at the I.T. Kiosk in Red 8 (Library).

Home Users

Information for people using their home computer

We would also like to warn people that they should particularly pay attention to any computers at home, as typically people do not have backups they can use to recover from this infection.

What can I do to protect my home computer?

There is no sure fire way to currently protect your computer 100%.

You can mitigate the chance by ensuring an up to date anti-virus (AV) program is installed as most of these are now finding the virus.

An issue is that many of these only run on a scheduled basis, meaning you could already be affected. If you are then it is too late as your files have been encrypted.

There are better AV programs that run all the time and actively scan emails and other files as you access them. Typically these cost money. These will protect you from getting infected in the first place, however you should not rely on this to keep you completely safe as these viruses get updated frequently, and it takes time for the AV programs to catch up.

The best method is to ensure that any data you have is backed up, and that this backup is kept offline. An example of this would be an external USB hard drive that is physically disconnected from your computer.

 

What can I do if I have been infected at home?

There are only two options.

  1. Recover any affected files from backup
  2. Pay the ransom.

We do not advise people pay the ransom, but if this is your only option, reports from other organisations that have been infected is that this does work in most cases, with any affected files successfully decrypted.

For more technical information on this virus, and for further information about what you can do to protect yourself at home, go here:

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

 

ITMS

Contact information

W: logit.cdu.edu.au

Location
IT Kiosk, Red 8, Casuarina campus
Office hours: 8am - 4pm, Mon- Fri (CST)

Telephone
08 8946 6600 (ext 6600)
Phone hours: 7:30am - 6pm (Mon - Thu)
7.30am - 5.30pm (Fri)

News

ADAPT Technologies


The ADAPT technologies make it easier to access your work across a variety of devices.

Find out more about how ITMS are making the transition to ADAPT.

Related links