How to Avoid Falling Victim to the CryptoLocker Trojan
CryptoLocker encrypts and blocks access to users’ files and then requests a ransom, with a 72-hour time limit for payment. If payment is not received within the set timeframe, the encryption key is destroyed, rendering the files unrecoverable.
CryptoLocker employs social engineering tactics to con users into executing the program. Victims receive an email with an attached ZIP file, allegedly sent by a logistics company. The virus runs when the user opens the password-protected ZIP file, using the password included within the message.
Inside the ZIP file is an executable file disguised as a PDF, and as soon as that file is executed, the Trojan becomes resident in memory and performs the following actions:
1. It saves a copy of itself to a folder on the user’s hard drive
2. It adds a registry key that ensures it is executed each time the computer boots
3. It spawns a duplicate process of itself, to protect the main process from termination
The malware then encrypts selected non-executable files on the user’s computer, and on every network drive the computer is connected to. Once all files that meet the Trojan’s conditions have been encrypted, it displays a message demanding a ransom payment.
Although CryptoLocker itself can be easily removed, the files are encrypted using a technique that is practically impossible to crack. Some victims claim that paying the ransom still didn’t result in the files being decrypted.
The success and notoriety of CryptoLocker has spawned several copycat ransomware Trojans including CryptoWall and TorrentLocker.
To avoid exposure to these Trojans, the following precautions are recommended:
1. Never open attachments within emails from senders who you don’t recognise.
2. Configure Windows to show file extensions – this ensures you won’t mistake executable files for PDFs
3. Use anti-virus, anti-malware and anti-spam protection
4. Always maintain a regular backup of your critical data
5. If you do become infected, don’t pay the ransom, as this only encourages further attacks