New CryptoLocker

New CryptoLocker "Ransomware Virus" Attacking U.S. Companies.

“These hackers are making a huge amount of money literally holding corporate America hostage for their data... Our solution or any alternative secure cloud solution is key to preventing massive data loss.”

A new and very dangerous virus - the CryptoLocker “ransomware” virus is infecting companies across the country. Companies are literally getting ransom notes and being asked to pay ransom – otherwise, their data will be wrecked along with their businesses. This is not the Wild West of the 1800's but modern day corporate America.

According to the data recovery specialists at Gillware, here is how the virus works:

The CryptoLocker “ransomware” virus is infecting corporate data files when employees check their personal email at work.

An employee receives an email telling them they have some type of package ready for pick-up. The employee then clicks on a link to find out more information about this package pick up and then the virus hits. It quickly spreads throughout the targeted company’s system and is looking for specific file types.

As it spreads, the CryptoLocker “ransomware” virus begins encrypting about 40 file types which the virus determines have the most value. The CryptoLocker “ransomware” virus is a “smart” virus. It looks for specific files such as Word documents, spreadsheets, databases and other files that are strategic in nature or more valuable to a company which would then be worth more in ransom.

The next time someone at the infected company tries to open a Word document or any other high value file which the virus has selected, they find they cannot open the file and they see a flag telling them their files have been encrypted and they must pay a fee or ransom to have these files un-encrypted.

If the ransom is not paid in a time, the company’s files remain unusable by the CryptoLocker “ransomware” virus.

This CryptoLocker “ransomware” virus encrypts files using a mixture of RSA & AES encryption. When it has finished encrypting a company’s files, it displays a CryptoLocker payment message that prompts the company to send a ransom of hundreds to thousands of dollars in order to decrypt the files.

As the CryptoLocker “ransomware” evolves into different, and more sophisticated versions, the amount of data it holds ransom grows and the amount of ransom asked for increases.

The ransom note communicated by computer message also displays a timer stating that the company has 96 hours to pay the ransom or it will delete the encryption key and the targeted company will not have any way to access their files.

The ransom must be paid using MoneyPak vouchers or Bitcoins. The creation of the virtual currency called Bitcoins makes this type of computer attack profitable for the perpetrators. Regular wire transfers would enable the perpetrators to be easily caught. Once payment is sent and it is verified, the program may decrypt the files that it encrypted.

Without their data, companies simply cannot function. The stakes are tremendously high with the CryptoLocker “ransomware” virus attacks. Their increasing sophistication presents an ongoing threat.

Data recovery expert and Gillware CEO Brian Gill is surprised these attacks have not gotten more publicity and says,

“These ransomware cases aren’t going anywhere. We’ve seen at least 3 different variants in the last few months. These hackers are making a huge amount of money literally holding corporate America hostage for their data. Why would you write a run of the mill virus to run amok when you could write a virus to run amok and make millions of dollars?”

This is a very significant moment in the history of viruses. Viruses are now intelligent enough to identify critical database files and steal high value data, not just data selected at random. The CryptoLocker “ransomware” virus then crushes the data with unique encryption keys, and is smart enough to take an electronic payment and then send a company the correct decryption keys and software.

“This should be getting more press and should be terrifying IT administrators into buying cloud backup. Now that this new “virus business model” has been shown to the world, it’s never going anywhere. Our solution or any alternative secure cloud solution is key to preventing massive data loss. These viruses are getting better and better and annihilating on-premise data. No matter how good your anti-virus software is... the writers of these viruses are always one step ahead, says Gillware CEO, Brian Gill.

At this time, there is no way to retrieve the private key that can be used to decrypt a company’s files that are being held for ransom. Determining what the actual decryption key is not realistic due to the length of time required to break the key. Also, any decryption tools that have been released by various companies will not work with this infection. The only method companies have of restoring their files is from a backup, if one exists and that backup has not been exposed to the CryptoLocker “ransomware” virus.

If companies pay the ransom, they then receive the encryption keys to unlock their data. But this will only encourage further attacks. Gillware CEO Gill continues, “Our phone rings, and sometimes there’s a business that has had 1TB+ of important data hammered by this virus attack. Five times in the last 24 hours, we’ve had backup clients get hit by the virus. And our staff was able to restore their stuff with old revisions, because our backup service keeps a nice revision history.”

A sample ransom note states

Your important files encryption produced on this computer: photos, videos, documents. etc. Here is a complete list of encrypted files, and you can personally verify this.

Encryption was produced using a unique public key RSA-2048 generated for this computer.
To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window.

To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USD / 100 EUR / similar amount in another currency.

Click to select the method of payment and the currency.

Any attempt to remove or damage this software will lead to the immediate destruction of the private key by the server.

Companies have to remove the software no matter what before moving forward. If data is restored, and the virus is still on their computers, then the restored files will get encrypted again by the virus, solving nothing. While companies remove the virus from their system, they can simply use a copy of their data that was kept offsite by a reputable backup service provider like Gillware Remote Backup, and continue their business activity.

But it is important to point out that the CryptoLocker “ransom ware” infection launches two processes of itself. If a company only terminates ones process, the other process will automatically launch the second one and the attack continues.

About Gillware Data Services

Gillware Data Services was founded by Gillware, Inc., one of the world’s leading data recovery labs. Gillware Online Backup is the only backup solution developed by a data recovery laboratory. It was designed with a full understanding of what best protects data. It is automatic, secure and reliable. Data is compressed and encrypted and remains encrypted at a U.S. based data center.

Gillware Data Services
http://backup.gillware.com/


Related News

Developer Creates Solution for Bitcoin Ransomware

Over the course of 2015, many individuals and companies have been affected by ransomware. While this may have nothing to do with Bitcoin at first glance, there have been a few cases where the ransomware could only be removed by paying a certain fee in Bitcoin. But those days may be over now, as a decryption toolkit for various types of ransomware has been made publicly available, free of charge. CryptoLocker and CoinVault Ransomware. Two types of ransomware making headlines all across the world in recent months are called CryptoLocker and CoinVault. Both types of ransomware operate, in the....

Tens of Millions in the UK May Be Targeted by CryptoLocker Bitcoin Ransomware

The UK's crime agency released an alert today after a flood of spam swept the country promoting bitcoin ransomware scourge CryptoLocker. The National Cyber Crime Unit predicted that emails would hit tens of millions of UK customers, and that they were targeting small to medium-sized businesses in particular. "This spamming event is assessed as a significant risk," it said. Discovered last month, CryptoLocker is distributed by email. It includes a ZIP file attachment that infects a victim's computer, encrypting their files, and them demanding a ransom of 2 bitcoins. That will see people....

Bitcoin Ransomware Hits Sheriff's Office

Dickson County Sheriff's Office said they had to pay a ransom - $500 in Bitcoin - to regain access to thousands of their case files which has been encrypted by a computer virus, News Channel 5 Network reports. IT Director Detective Jeff McCliss said: "Every sort of document that you could develop in an investigation was in that folder. There was a total of 72,000 files." The computer virus, Cryptowall, is a variant of the infamous CryptoLocker. In August, PC World reported that CryptoWall infected over 600,000 computer systems in the past six months and held 5 billion files hostage,....

FBI Advises Victims Pay Ransom on Ransomware

Ransomware is becoming increasingly popular with hackers and cyber criminals. The ability to lock down an entire system and render it useless until a ransom has been met is quite powerful. Ransomware often requires payment in a method that is irreversible, allowing the criminals to keep any payments they received unless they are caught of course. The FBI has warned that companies might not be able to get their data back unless they pay the ransom or have backups in which they can restore the system to. Cryptolocker was incredibly prevalent for a year but was replaced by Cryptowall, a very....

MedStar Washington Potentially Affected by Bitcoin Ransomware

There are rumors circulating this healthcare institution is affected by Bitcoin ransomware, as one staffer mentioned how she saw a pop-up on two different computer screens. In this pop-up windows, there was information about the infection, and instructions to pay a ransom through “some form of Internet currency”. Those details have not been officially confirmed at the time of publication, though. Another hospital in the United States has fallen victim to a virus bringing their services to a halt. MedStar Hospital Center, located in Washington, noticed the virus intrusion early Monday....