Ransomware is not new but in the past year has entered into an entirely new era with the advent of the CryptoLocker virus. Just in the last two days in different parts of the country two of our accounting software users have encountered this virus and it has created havoc. Neither paid any ransom but rather were able to thwart the virus by taking fast action; nonetheless it caused an interruption in business of these users along with technical support expenses, and considerable angst.
Once a system is infected, the virus spreads very quickly and easily jumps around and onto shared network drives. On one system it jumped to a server drive from a client PC that only had basic, non-administrative user rights and within less than two hours had copied its ransom notice files into every folder on that drive. So any PC (or other device) connected to your network server could spread it.
Additional morphs of CryptoLocker have also recently appeared.
Your anti-virus program may not be able to detect CryptoLocker or its morphs. Therefore, it is critical to focus on the education of your end users NOT to click on links or open e-mail attachments from unknown, untrusted or suspicious sources that may be disguised in any number of ways.
It is not clear whether the virus is able to encrypt files that are in active use; but it does not seem to discriminate in terms of what files it goes after. One user's first notification was when a simple JPEG file could not be loaded and was essentially corrupted by the virus.
General background information about the CryptoLocker trojan can be found on Wikipedia.
A Virus Bulletin Ltd. blog mentions a recent tool that may be able to provide the decryption phrase in some circumstances as a result of a joint effort between FireEye and Fox-IT (the PDF maker). See:
Some further helpful technical details:
As is discussed in greater detail in a related blog, lack of end user awareness of potential serious infections as a result of careless e-mail use is a significant part of the problem. And hackers know this.
Recovery requires an off-line backup that was made prior to the infection. So in addition to strongly reminding end users about e-mail and related dangers, revisiting your backup strategies is also in order.