Virus Info Part 1: What is CryptoLocker (CryptoDefense, CryptorBit) ?

CryptoLocker Encryption Virus Pop-Up

CryptoLocker, CryptoDefense, and CriptorBit are nasty types of the ransomware family of viruses that utilizes encryption to effectively lock out their victims from having access to their pictures, documents, and more.

They are spread primarily through fake customer service themed emails from businesses such as USPS, FedEx, UPS, prominent banks, antivirus manufacturers, and others. Those emails currently contain a .zip file attachment that contains the actual virus.

There are two zip deployment methods that are utilized, depending on which version of the virus you have, the most common being a regular zip file and the other being a self-extracting zip file. On the regular zip version, once the user unzips the attachment, they will see what appear to be PDF documents inside. These are NOT real PDFs, they are in fact executable (program) files; however, because Windows typically hides file extensions (.zip, .pdf, .exe, .doc, .jpg, etc.); it was a simple matter for the virus creator to package these executable files with the same icon as actual PDF files.

The self-extracting version extracts the files contained to predefined locations on your computer such as the desktop. Typically, it still extracts executable files that look like PDFs; however, it has been reported that at least in one instance, it extracted the program file to the user’s desktop with the Mozilla FireFox icon. Since we have all become accustom to seeing shortcuts to third party browsers (Google Chrome, Mozilla FireFox, Safari, & Opera) magically appearing on our desktops following software updates for common programs, the virus distributor preys on the fact that the user might click that icon to browse the internet, thinking it is a legitimate browser.

Once the virus is activated by clicking on one of these fake PDFs, it looks for files with document and image extensions (such as .doc, .jpg, etc. *a full list of the extensions currently effected will be included at the end) and encrypts them and generates a pop-up message demanding you pay a ransom to obtain the key that is needed to decrypt the files and starts a 72-96 hour countdown timer. The cost for this key is currently either $300 or $500 initially, and in newer versions of the virus, that price doubles, triples, quadruples, etc. at set periods of time. The message indicates that once the timer expires, the key will be deleted; and from all reports, that threat is genuine… once the timer expires, your files are permanently inaccessible.

Most versions of the virus request that you pay in BitCoin; however, some recent permutations have included MoneyPak as an alternate payment method. If you decide to pay the ransom, the bitcoin variant requires that you first go to a darknet site and convert US currency into bitcoin, submit your payment, then download the decryptor program from an equally sketchy darknet site. It does let you test the decryption on a single file before paying…

Currently, the virus is known to encrypt all of the following file types:
.3fr, .accdb, .ai, .arw, .bay, .cdr, .cer, .crt, .crw, .cr2, .dbf, .dcr, .der, .dng, .doc, .docx, .docm, .dwg, .dxf, .dxg, .eps, .erf, img_.jpg, .indd, .jpg, .jpe, .kdc, .mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c .pdd, .pdf, .pef, .pem, .pfx, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .sr2, .srf, .srw, .wb2, .wpd, .wps, .x3f, .xlk, .xls, .xlsb, .xlsm, & .xlsx
However, as viruses are constantly being re-engineered and evolving, that list is of course subject to change.

If you think you may have been infected or see the encryption pop-up timer, call Home PC Patrol (or other IT specialist if you prefer) immediately. Do not try to open a file to see if it is really encrypted as this will remove any chance that we can restore an unencrypted version from system archives. Do not try to run your anti-virus program, and do not try to open a web page. The less you do the better our chances of successfully restoring your information, though the overall chance which is already minimal at best.