If you suddenly receive a CryptoLocker warning on your screen, DO NOT EXECUTE ANY NEW PROGRAMS BECAUSE THIS TRIGGERS CRYPTOLOCKER TO ERASE THE LOCAL SYSTEM RESTORE FILES.

Since one of our users was recently hit with the CryptoLocker Trojan, and lost files in the process, the following background and tips are being provided to minimize damage if you become the next victim.

CryptoLocker is ransomware that was first discovered in September 2013. The Trojan is normally delivered to the target system by an email attachment which infects the system when opened. Once a system is infected, CryptoLocker scans the system and network shares for a number of file types that include .doc, .xls, .ppt, .pdf, .bmp, .jpg, and dozens of others. When it finds a target file, it encrypts the file making it unusable to the user. It repeats this process until it has encrypted as many files as it can find. Then it suddenly displays a warning on the screen indicating that Your personal files are encrypted! The author of this malware attempts to extort anywhere from $100 to $500 from the user to obtain the decryption key necessary to recover access to their own files again. Usually you have less than 72 hours to comply before your files become inaccessible.

There are ways to remove CryptoLocker from an infected system but the remediation is time-intensive and any files that have been encrypted without an external backup copy available are permanently lost.

There are no symptoms of infection until the damage has been done. When the target system is infected, CryptoLocker first scans the system for any system restore files that might be used to recover from its inflicted damage and deletes them. It creates Windows registry key entries that force CryptoLocker to launch every time the system is started. Task Manager cannot be used to terminate the CryptoLocker running processes unless done in the correct order.

  • Network users supported by a local server like Small Business Server 2008, employing folder redirection, are generally protected from CryptoLocker encryption because the files actually reside on the server and are synchronized with copies on the local system. So users should place any files they really care about somewhere in the My Documents path to be protected.
  • Non-network users without a server must rely on external backups whether local or in the cloud to recover from any encryption done by CryptoLocker.

If you suddenly receive a CryptoLocker warning on your screen, DO NOT EXECUTE ANY NEW PROGRAMS BECAUSE THIS TRIGGERS CRYPTOLOCKER TO ERASE THE LOCAL SYSTEM RESTORE FILES. [20140429]