New CryptoLocker "Ransomware Virus" Attacking U.S. Companies.

“These hackers are making a huge amount of money literally holding corporate America hostage for their data... Our solution or any alternative secure cloud solution is key to preventing massive data loss.”

A new and very dangerous virus - the CryptoLocker “ransomware” virus is infecting companies across the country. Companies are literally getting ransom notes and being asked to pay ransom – otherwise, their data will be wrecked along with their businesses. This is not the Wild West of the 1800's but modern day corporate America.

According to the data recovery specialists at Gillware, here is how the virus works:

The CryptoLocker “ransomware” virus is infecting corporate data files when employees check their personal email at work.

An employee receives an email telling them they have some type of package ready for pick-up. The employee then clicks on a link to find out more information about this package pick up and then the virus hits. It quickly spreads throughout the targeted company’s system and is looking for specific file types.

As it spreads, the CryptoLocker “ransomware” virus begins encrypting about 40 file types which the virus determines have the most value. The CryptoLocker “ransomware” virus is a “smart” virus. It looks for specific files such as Word documents, spreadsheets, databases and other files that are strategic in nature or more valuable to a company which would then be worth more in ransom.

The next time someone at the infected company tries to open a Word document or any other high value file which the virus has selected, they find they cannot open the file and they see a flag telling them their files have been encrypted and they must pay a fee or ransom to have these files un-encrypted.

If the ransom is not paid in a time, the company’s files remain unusable by the CryptoLocker “ransomware” virus.

This CryptoLocker “ransomware” virus encrypts files using a mixture of RSA & AES encryption. When it has finished encrypting a company’s files, it displays a CryptoLocker payment message that prompts the company to send a ransom of hundreds to thousands of dollars in order to decrypt the files.

As the CryptoLocker “ransomware” evolves into different, and more sophisticated versions, the amount of data it holds ransom grows and the amount of ransom asked for increases.

The ransom note communicated by computer message also displays a timer stating that the company has 96 hours to pay the ransom or it will delete the encryption key and the targeted company will not have any way to access their files.

The ransom must be paid using MoneyPak vouchers or Bitcoins. The creation of the virtual currency called Bitcoins makes this type of computer attack profitable for the perpetrators. Regular wire transfers would enable the perpetrators to be easily caught. Once payment is sent and it is verified, the program may decrypt the files that it encrypted.

Without their data, companies simply cannot function. The stakes are tremendously high with the CryptoLocker “ransomware” virus attacks. Their increasing sophistication presents an ongoing threat.

Data recovery expert and Gillware CEO Brian Gill is surprised these attacks have not gotten more publicity and says,

“These ransomware cases aren’t going anywhere. We’ve seen at least 3 different variants in the last few months. These hackers are making a huge amount of money literally holding corporate America hostage for their data. Why would you write a run of the mill virus to run amok when you could write a virus to run amok and make millions of dollars?”

This is a very significant moment in the history of viruses. Viruses are now intelligent enough to identify critical database files and steal high value data, not just data selected at random. The CryptoLocker “ransomware” virus then crushes the data with unique encryption keys, and is smart enough to take an electronic payment and then send a company the correct decryption keys and software.

“This should be getting more press and should be terrifying IT administrators into buying cloud backup. Now that this new “virus business model” has been shown to the world, it’s never going anywhere. Our solution or any alternative secure cloud solution is key to preventing massive data loss. These viruses are getting better and better and annihilating on-premise data. No matter how good your anti-virus software is... the writers of these viruses are always one step ahead, says Gillware CEO, Brian Gill.

At this time, there is no way to retrieve the private key that can be used to decrypt a company’s files that are being held for ransom. Determining what the actual decryption key is not realistic due to the length of time required to break the key. Also, any decryption tools that have been released by various companies will not work with this infection. The only method companies have of restoring their files is from a backup, if one exists and that backup has not been exposed to the CryptoLocker “ransomware” virus.

If companies pay the ransom, they then receive the encryption keys to unlock their data. But this will only encourage further attacks. Gillware CEO Gill continues, “Our phone rings, and sometimes there’s a business that has had 1TB+ of important data hammered by this virus attack. Five times in the last 24 hours, we’ve had backup clients get hit by the virus. And our staff was able to restore their stuff with old revisions, because our backup service keeps a nice revision history.”

A sample ransom note states

Your important files encryption produced on this computer: photos, videos, documents. etc. Here is a complete list of encrypted files, and you can personally verify this.

Encryption was produced using a unique public key RSA-2048 generated for this computer.
To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window.

To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USD / 100 EUR / similar amount in another currency.

Click to select the method of payment and the currency.

Any attempt to remove or damage this software will lead to the immediate destruction of the private key by the server.

Companies have to remove the software no matter what before moving forward. If data is restored, and the virus is still on their computers, then the restored files will get encrypted again by the virus, solving nothing. While companies remove the virus from their system, they can simply use a copy of their data that was kept offsite by a reputable backup service provider like Gillware Remote Backup, and continue their business activity.

But it is important to point out that the CryptoLocker “ransom ware” infection launches two processes of itself. If a company only terminates ones process, the other process will automatically launch the second one and the attack continues.

About Gillware Data Services

Gillware Data Services was founded by Gillware, Inc., one of the world’s leading data recovery labs. Gillware Online Backup is the only backup solution developed by a data recovery laboratory. It was designed with a full understanding of what best protects data. It is automatic, secure and reliable. Data is compressed and encrypted and remains encrypted at a U.S. based data center.

Gillware Data Services
http://backup.gillware.com/