Is there any way to get my files back if I got hit by the CryptoLocker virus?
- Bill
This question was answered on October 31, 2013. Much of the information contained herein may have changed since posting.
The CryptoLocker ransom-ware infection is without a doubt, one of the worst types of malware that attacks Windows computers that we’ve ever seen. The good news is that the infection is pretty easily removed; the bad news is the damage it does can be catastrophic if you don’t have a backup.
Unlike the widely known FBI virus, which locks your computer to try to con you into paying a fine, CryptoLocker really does hijack all your data and demands a ransom for its return.
We started seeing systems infected with this very sophisticated attack in September and are seeing a definite increase in people that are falling prey to their clever socially engineered e-mails.
One of the most common methods of infection comes as an e-mail attachment that appears as a PDF file from well-known companies such as FedEx, UPS or others.
When you open the rigged file, it jumps into action and starts encrypting all of your data files, including any attached backup drives or network drives that appear as a drive letter on your computer (a major threat to businesses).
There are also reports of infections coming through hacked websites or by those that fall for the long-running ‘You need to update your video player in order to see this video’ scam.
It really doesn’t matter what you have for virus protection, because they trick you into running an executable program which looks like any other program that a user would choose to use, so your security programs will allow the malicious program to run.
Encryption is a way to secure data from others by converting your normally accessible files into a scrambled mess that ONLY the key holder can unscramble. The encryption level used by the CryptoLocker authors is extremely high and impossible to break in the short time you’re given to pay.
To ensure that you act quickly, you are given a deadline that ranges from 72-96 hours to pay the ransom or the key, which is the only way to regain access to your data, will be destroyed.
There are varying reports around the Internet that those that pay will sometimes regain access to their data, but these ‘reports’ could easily be the work of the hijackers as well.
If you have a verified backup that was not connected to your computer at the time of the attack, you can disinfect your computer, restore your system and ignore the ransom demands.
If, however, you don’t have any type of backup or your backups were attacked as well, the only possibility of getting your files back are to pay the ransom and hope the thieves are honorable.
If you’ve made any changes to the location of the encrypted data or removed the virus, the decryption process won’t work properly. If you’re contemplating paying the ransom, there are a lot of technical issues involved. If you’re not fairly tech savvy, you’d be best off hiring a skilled IT person to help you through the process, especially creating a solid off-site backup process to protect you in the future.
Business owners should be especially concerned as any one employee that falls for this scam can cause all the information on the company’s servers to be encrypted.
If you’re a business user and you see lots of drive letters when you open the My Computer or Computer icon, all the files on those mapped drives are at risk for this attack (you should have your IT department review whether they are really necessary).
For our tips on protecting your business from CryptoLocker, click here.
About the author
Posted by Ken Colburn of Data Doctors on October 31, 2013
Need Help with this Issue?
We help people with technology! It's what we do.
Contact or Schedule an Appointment with a location for help!