It looks like the threat actors who run ransomware campaigns are constantly busy writing destructive coding and launching new viruses that the security industry has not come up with a completely actionable fix for. It’s really unfortunate that these people’s talent is streaming in the black hat direction, but the prospect of getting easy money, obviously, makes people wicked. One of today’s most notorious ransomware programs, CryptoLocker 2015, has got quite a history behind it. The original virus was launched in September 2013 and got taken down in June 2014. The currently active infection being analyzed in this post is in fact a successor, likely created by a different cybercriminal gang. The general operation of this malware is similar to that of the predecessor, but there is some contrast in place.
One of the differences is the warning screen displayed by CryptoLocker. It’s no longer red and it’s more blatant as far as the hackers’ ego is concerned. Whereas the previous version would say “Your personal files are encrypted”, the latest one reads “Warning, we have encrypted your files with CryptoLocker virus”. The “we” component probably testifies to the fraudsters’ being more ambitious and fearless, but let’s leave the con individuals profiling to psychologists. The technical workflow of the compromise starts with PC contamination, which tends to be powered by social engineering. One of the vectors involves fake emails titled “Payroll reports” that have a Microsoft Excel file attached to them. The corrupt files can also be camouflaged as ZIP archives with PDFs inside. Once clicked, the attachment drops the payload onto the computer.
The virus scans computer drives for a bunch of file extensions and the respective files, once found, will get encrypted using AES algorithm. It then comes up with a warning message that provides some details of what happened:
“Your important files (including those on the network disks, USB, etc): photos, videos, documents, etc. were encrypted with our CryptoLocker virus. The only way to get your files back is to pay us. Otherwise, your files with be lost.”
The payment mentioned in the above message is supposed to be submitted in Bitcoins, with the amount being equivalent of about 500 USD. Each infected user gets a unique Bitcoin address assigned to them. Unless paid within three days, the ransom will increase. What the criminals essentially suggest is to buy decryption software that has the private crypto key at its disposal so that the hijacked files can be recovered. But this is extortion in its purest form therefore, instead of giving in to the bad guys, it’s strongly recommended to try several workarounds provided in the next part of this tutorial. Be advised removing CryptoLocker is not going to fix the problem in the context of file recovery, but it’s mandatory as part of the overall operating system cleanup.
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other Trojans while operating.
It has been mentioned that CryptoLocker applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that CryptoLocker erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
The above process can be automated with a tool called Shadow Explorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by CryptoLocker is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the CryptoLocker virus left, have your computer scanned with a reliable malware security suite.