Is Your Data Being Held for Ransom?

 
After first being discovered in late summer, Cryptolocker has enjoyed quite a successful run in cyberspace – if you measure success by sheer number of infections. Since then, over 500,000 systems have been compromised by this ransomware.
For those of you not familiar with the term ransomware or how it works, just liken it to a hostage being taken and the perpetrator demanding money in return for the release of said hostage – with one major difference – the hostage in this sense is your data – .doc, .xls, .ppt, .pdf, and .jpg files just to name a few.
No, the bad guys don’t actually get into your system and physically “take” the data – but they might as well…
The sinister program, usually activated by clicking on an infected email attachment or by way of a botnet, encrypts files on local and network mapped drives using RSA public key cryptography. The victim is usually notified of the infection by way of a pop-up indicating that their files have been “protected” by a formidable encryption process…and if not indicated by the pop-up, they’ll eventually realize it when the aforementioned file types just will not open, accompanied by an error indicating something to the effect of “failed to open file – format not recognized” or something similar.
So, at this point you had two options – go to a website listed in the “decrypt instructions” text file that accompanied the malware and pay anywhere from $350 – $500 for the key to decrypt your data (and this usually had a 72 hour time limit, after which the key was permanently deleted and your data turned into toast) or … restore the data from a backup. Current statistics indicate only 1.5 % of victims actually paid for the decryption key – but there are no statistics, at least that I could find, indicating what percentage of data was successfully restored from backup, and how much data was just written off – lost forever.
But now there’s hope that you can recover that locked data if you couldn’t restore from backup….
Through some pretty nifty cyber-sleuthing, the good guys have successfully captured a database of the private encryption keys of victims of this malware. You can now send an infected file and get the private encryption key to unlock your data – this was a joint effort by FireEye and Fox-It , research firms specializing in internet security, which is all the more reason to incorporate a business continuity plan.  Read more about the process here:
http://www.pcworld.com/article/2462280/cryptolocker-decrypted-researchers-reveal-website-that-frees-your-files-from-ransomware.html and there are no known decrypt mechanisms for other flavors of this malware such as Cryptowall and CryptoDefense – but at least now there’s a chance, at least for some of you, that your data, and your sanity, can be recovered. Consider a business continuity plan with Alliance InfoSystems, LLC.
Chuck Herman
Support Engineer