Cryptolocker virus poses new threat

An especially nefarious computer virus is making the rounds, and faculty, staff and students at Eastern are being cautioned to take extra care before opening links in email messages from unknown senders in order to avoid downloading it.

The virus is a form of “ransomware” called Cryptolocker, and unlike other viruses that can be neutralized through the use of restorative software such as Malwarebytes, Cryptolocker cannot be fixed once it locks up someone’s computer – unless the victim is willing to literally pay a ransom to the hackers who deployed it.

Cryptolocker works by encrypting files within an infected computer’s hard drive with an indecipherable level of code that cannot be broken. This locks those files and renders them inaccessible while leaving the computer itself still functioning, said Information Technology Services Assistant Director of Information Security Mike Gioia. After doing so, the virus displays a message from the hackers demanding money, usually a few hundred dollars, within a three- or four-day period of time to have the encryption removed. If the money is not paid, the solution key is destroyed, permanently locking the files. Thus, the virus is referred to as “ransomware.”

At Eastern, one computer was infected with the Cryptolocker virus during Fall Semester. Because it could not be unlocked, its hard drive had to be removed and replaced, and all files on it were rendered inaccessible. “They lost everything,” said Gioia.

Gioia said the Cryptolocker infection usually is disguised as a PDF attachment in an email message that purports to be sent from Fedex or UPS tracking a package shipment. If the link is clicked, the virus downloads from an executable file hidden in the PDF.

“It’s worse than the average virus because your data is pretty much lost,” said Gioia. “You can usually run Malwarebytes to clean up other viruses, but because this is encrypted, it’s either pay the money or rewrite the hard drive.”

Indeed, some victims have paid the ransom and had their files unlocked. “But then you’re giving your credit card number to hackers,” said Gioia.

“The likelihood of recovering files after (an infection) are pretty slim, unless you have a backup of them prior to the encryption,” said ITS Associate Director of User Services Dave Emmerich.

There are few ways of preventing Cryptolocker infections, said Emmerich.

“The current recommendation among many IT pros for preventing it is to utilize a software restriction policy via group policy,” Emmerich wrote in a recent email to ITS staff warning about the virus. “We have been testing the policy in ITS with no noticeable impacts for the past few weeks. The intent was to test here … and implement campuswide. However, a recent computer infection on campus has put us in a position where it would be best if we apply the policy to campus. If an application is impacted, the user will receive a popup window stating ‘Your system administrator has blocked this program. For more information, contact your system administrator.’”

Gioia said files on personal computers should always be backed up to prevent them from being lost. And links and attachments in emails from unknown senders should never be opened.

But he cautioned that the Cryptolocker virus makes such precautions especially critical. “Back up your files and never open attachments from people you don’t know. This is basic security for email,” he said. “Know what you’re opening.”