John Shipp - CryptoLocker Virus

I hate to start a panic, but … um .. PANIC NOW!!!

UPDATE 6/2016 - There is a website you can upload your encrypted files to, and it will attempt to identify which ransomware you have, and let you know if there is a known way to decrypt all your files for free.
(Ransomware Identifier)

UPDATE 11/2015 - I found a way to totally prevent this virus and all its variants.
(Read my SRP article)

On Oct 30, 2013, I saw the worst computer virus in my career. This is a whole new level of bad. This virus has the ability to cause unprecedented damage. If you get it, you might lose ALL your important data, and I might not be able to recover it!

The virus came via email from [email protected] with the subject “past due invoice”. (this doesn't mean it will come in like this in the future.) When the victim opened the attached "invoice", the virus encrypted (scrambled) all the data on the victim’s computer, as well as data on the local file server the victim’s computer was connected to. The virus then demanded $300 to have the data unencrypted. It was impossible to unencrypt the data without paying the $300 ransom, because the virus used 2048-bit RSA encryption, which is the same technology that protects you from hackers when you log into a secure website, like your bank. I could have cleaned the virus very easy, but we still would have had the problem of the data being encrypted. After a lot of consideration, the victim decided the data was worth $300, so we paid them, as bad as we hated to. After about a day of nervous waiting, the victim's computer automatically decrypted the files, and removed the virus.

This virus is called CryptoLocker.
Of course this is highly illegal, so sometimes the FBI will raid the bad guys, and confiscate their servers that hold the decryption keys. This is actually very bad for the victims because it makes it impossible for the data to ever be recovered!

If you think you are safe because you do backups, you might have to think again.
In a lot of cases, the virus will encrypt the backup also, making it useless. A backup will only help you if it was stored in a place the virus didn’t have access to, and created before the virus encrypted the files . Even if your backup does work, you still lose any data that was modified since the last backup. If you get infected at 5pm, and your backups run at midnight, you lose that whole day of work!

Backups that are NOT useful against this virus:

Any USB drive that stays plugged in all the time
Robocopy (Automatic folder mirroring to another drive letter or computer on your network)
RAID (2 hard drives in a computer)

Backups that ARE useful against this virus:

CrashPlan / Mozy / Carbonite (crashplan is my new favorite)
Removable USB drives that you manually remove from the computer after you perform the backup
Shadow Copies

Shadow Copies? What's that?
Win7 and Win8 create automatic snapshots of your data every week or so. These snapshots are called shadow copies. Some computers seem to make shadow copies more frequently than others. Some computers only make 1 shadow copy a month. Some don’t make any.

- Win XP (Home and Pro) - doesn't have shadow copy.

- Win 7 PRO - makes shadow copies automatically, and allows you to access them by clicking START, click COMPUTER, right click your C drive, Click PROPERTIES, Click PREVIOUS VERSIONS.

- Win 7 Home - You should be able to access Win7 shadow copies by using one of these programs
(http://www.shadowexplorer.com/downloads.html)
(http://www.nirsoft.net/utils/shadow_copy_view.html)

- Win 8 - You should be able to access Win8 shadow copies by using this program (http://www.shadowexplorer.com/downloads.html)

If you do not use UAC properly, the virus WILL delete all the shadow copies too. Using UAC properly will successfully prevent the virus from deleting the shadow copies, but you still lose any data that was modified since the last shadow copy.

Using UAC in Windows 7 like I recommend in my basic UAC article will give you PARTIAL protection, when combined with a useful backup.

Using SRP will give you full protection!

Using UAC like I recommend in my advanced UAC article will also give you FULL protection but it's not as convenient as using SRP.

Also, if the amount of data encrypted exceeds the amount allocated for shadow copies, windows WILL delete all the shadow copies! For example, if you have 5GB of pictures on a 80GB hard drive, and shadow copies are set to 5%, you are going to lose all your shadow copies if you get this virus.

If you are running Win7, you should check to see what percent your computer has allocated for shadow copies, click START, right click COMPUTER, click PROPERTIES, click SYSTEM PROTECTION, click your C drive, click CONFIGURE.

I like to set it to 20%.

Shadow copies are awesome because this is the only way that a lot of people have to get their data back without paying, but you shouldn't trust your data to it completely since it can let you down in certain situations.

FOR ADVANCED USERS trying to restore from shadow copy:
These are the steps I have found works best for restoring from a shadow copy. If the virus was allowed UAC, this will NOT work!

Log out and log in as ADMIN
Rename the infected users profile folder (c:\users\jshipp) to something like c:\users\jshipp-infected
COPY the last pre-infected shadow copy of the jshipp folder back to c:\users. Do not try to click the RESTORE button on the shadow copy screen, it doesn't work for some reason. Do not try to restore more bytes than the shadow copy system is set to hold, this will result in all shadow copies being deleted before you get your data back.
Adjust the NTFS permissions on the restored folder. It shouldn't inherit permissions from c:\users and it shouldn't allow read access by everyone and it should allow read/write by the relevant user (jshipp in my example)