Frequently Asked Questions

« Previous
How do I connect a private computer to the department network?
Next »
Which VLANs are at the BMC-router?

windows ubuntu macos xibo network zenworks android storage



11. What is ransomware and CryptoLocker?

See also: Help me I get so much spam! What can I do?
See also: My computer has got a virus! What do I do?
See also: How to use the IBM Spectrum Protect (Tivoli Storage Manager aka TSM)
See also: How do I use an Apple AirPort Time Capsule?
CryptoLocker is a ransomware trojan that targets computers running Microsoft Windows.
- Wikipedia on CryptoLocker

CryptoLocker and TorrentLocker infects computers running Windows via seemingly innocent email with links or attachments. There has appeared other ransomwares attacking Mac too.

Read more about ransomware, TorrentLocker and CryptoLocker on Wikipedia.

To be infected, the receiver has in most cases actively tried to open and execute the payload. The payload may be disguised as a Word-document, a script or something that give the impression that it is innocent. Do not open files or attachments you have not requested!

This (the example above in Microsoft Word) is not safe! Please be careful with Office files that require you to Enable Content. Enabling content may make it possible for evil macros to execute in Office allowing the attacker to take control of your computer.

This (the example above from Windows File Explorer) is an example of an opened .zip-file. .zip-files are in itself not dangerous it is just a way of storing one or many files into one compressed file, but it may be a way to bypass other simple security checks. For example the anti virus software may warn when downloading an .exe-file but may not warn when downloading a .zip-file.

This (the icon above) is an example of how an .js-file look like in the File Explorer. This file will run with the Windows Script Host (wscript/cscript) and execute and may download further potentially evil binaries. Windows Scripting Host also will run .jse and .wsf-files. Also note that a long file name like faktura.pdf.js may hide the real extension in File Explorer and show up as faktura.pdf which is a bit misleading. The real file name extension is hidden.

Even though a ransomware in itself easily can be removed, the files stay encrypted, waiting for a ransom to be payed in order to get the decryption key.

How to not get infected

  • Do not execute programs or even open attachments that random people have sent you.
  • Please don't do it.
  • If you have any suspicions regarding something you received via mail contact helpdesk@bmc.uu.se (BMC-IT).
  • Please forward the evil mail to no-spam@uu.se. Then the Uppsala University Security Division may adjust the rules for the mail filter and network firewall.

What to do if infected

  1. Turn the computer off.
  2. Contact your local IT (helpdesk@bmc.uu.se) for help.
  3. Forward the evil mail to no-spam@uu.se so that the Uppsala University Security Division may adjust mail filter and network firewall rules.
  4. Change your passwords at the university. Change all passwords for all sites that you have automatically saved in your browser.
  5. In general, reinstall computer and restore data from backups or snapshots.

Lessons to be learned from CryptoLocker

  • Use a file server with snapshots for storing data you do not want to lose. For example the central university HNAS file server store snapshots up to a month per default.
  • Everything locally on the computer running in the same security context as the user is not safe.
    • This means that local previous versions / snapshots are not safe, if the users can turn them off. But to have these are better than not.
    • This also means that backups like Time Machine, Cobian or similar where the system stores a copy of the files on another storage place is not safe, unless the backup storage in is snapshotted outside of the users security context.
    • If you store extra backups of your files on external USB-attached storage, do not keep it plugged in all the time. Keep a couple of them and in rotation so that you can go back to an older version.
  • Already taken backups should not be allowed to be overwritten from the client. This can be accomplished by for example using snapshots on the backup storage, like on a file server.
  • Even more advanced backup systems like TSM may not be safe since it only stores a limited number of versions of each file. If the ransomware encrypt the files and then make some small updates to the file each day, then after the limited number of days have passed, all old uncorrupted versions will be gone.

Also read more

Read more from Europol's European Cybercrime Centre with friends at the No More Ransom! website.

The Uppsala University Security Division has courses in basic information security (in Swedish). Every chapters just takes 2-4 minutes. There are 16 chapters in total.

 

This entry cryptolocker was last modified 2018-03-23

   

This documentation is covered by GNU Free Documentation License.