A new ransomware called as “Threat Finder” has been discovered by a security researcher at Rackspace. Threat Finder is feared to be a copy of Cryptolocker and can infect Windows PC’s via multiple sources; the most common infection is when a user browses a compromised website.
The only solution to save your data is to take timely backups and take the usual steps to Prevent Ransomware from getting onto your computer.
So what is it?
It is known as CryptoLocker ransomware and comes in many different variants.
CryptoLocker is different from a virus and your computer and software keep on working, but your personal files, such as documents, spreadsheets and images, are encrypted.
The criminals retain the only copy of the decryption key on their server – it is not saved on your computer, so you cannot unlock your files without their assistance. They then give you a short time (e.g. 72 hours, or three days) to pay them for the key.
What CryptoLocker does
When the malware runs, it proceeds as follows:
CryptoLocker installs itself into your Documents and Settings folder, using a randomly-generated name, and adds itself to the list of programs in your registry that Windows loads automatically every time you logon.
It produces a lengthy list of random-looking server names in the domains .biz, .co.uk, .com, .info, .net, .org and .ru.
It tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds.
Once it has found a server that it can reach, it uploads a small file that you can think of as your “CryptoLocker ID.”
The server then generates a public-private key pair unique to your ID, and sends the public key part back to your computer.
The malware on your computer uses this public key to encrypt all the files it can find that match a largish list of extensions, covering file types such as images, documents and spreadhseets.
The malware then pops up a “pay page,” sometimes via a website giving you a limited time, typically 72 hours, to buy back the private key for your data, typically for $300. (The price point is suprisingly similar to what it was back in 1989.)
Email attacks are fairly easy to avoid: take care with attachments you weren’t expecting, or from people you don’t know well.
Infection via a botnet is a little different, since the crooks are using the fact that you are already infected with malware as a way to infect you with yet more malware. (this is why your Pc is being completely wiped)
That’s because most bots, or zombies, once active on your computer, include a general purpose “upgrade” command that allows the crooks to update, replace, or add to the malware already on your PC.
Take this story as a warning, and don’t forget that there are many other ways you could lose your files forever.
The endgame is the same in all cases: if you have a reliable and recent backup, you’ll have a good chance of recovering without too much trouble.
Prevention, in this case, is significantly better than cure:
- Stay patched. Keep your operating system and software up to date.
- Make sure your anti-virus is active and up to date.
- Avoid opening attachments you weren’t expecting, or from people you don’t know well.
- Make regular backups, and store them somewhere safe, preferably offline.
Don’t forget that services that automatically synchronize your data changes with other servers, for example in the cloud, don’t count as backup.
They may be extremely useful, but they tend to propagate errors rather than to defend against them.
To the synchronizer, a document on your local drive that has just been scrambled by CryptoLocker is the most recent version, and that’s that.