Ransomewares are the reason why people should stop using XP(vulnerable Operating systems) and must have antivirus/antimalware/firewall in their system. :thumb:
A Trojan by the name CryptoLocker has attacked quite a few computers in India.
The Trojan locks the desktop, encrypts files, then displays a ransom demand.
FURTHER DETAILS -
Discovered: September 11, 2013
Updated: November 4, 2013 4:55:18 PM
Also Known As: Trojan.Gpcoder.H [Symantec], CryptLocker.B [Norman], Trojan:Win32/Crilock.A [Microsoft], TROJ_CRILOCK.NS [Trend]
Type: Trojan
Infection Length: 346,112 bytes
Systems Affected: Windows 2000, Windows 7, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
The ransom demand may include the following message:
The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files. To obtain the private key for this computer, which will automatically decrypt files, you need to pay.
This normally gives 72 hours to pay. It has asked US$300 from the victims.
When the Trojan is executed, it creates the following file:
%AppData%\[GUID].exe
Trojan then encrypts documents on infected computers and connected shares or drives.
You need to know following to protect yourself:
The Trojan locks the desktop, encrypts files, then displays a ransom demand
After initial infection, file encryption on the infected machine will start after few hours, thus quick detection will help to prevent the damage
Encryption is using PKI mechanism using a with Public Key with criminals having Private key on some secret server on Internet.
You can not decrypted your files without Private key.
Trojan can be removed by accessing registry but files encrypted can not be decrypted by removing trojan. Further damage can be limited. Trojan sits in Application data folder under Documents and Settings folder with a long name ending with .exe.
This trojan comes either as an attachment to an email or through phishing site. So, do not open any attachment (especially but not limited to .vbs, .bat, .exe, .pif and .scr files), unless you are sure it came from trusted source. Do not get lured or conned by phishing mail.
If you have an email server, configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
Keep security patches up to date and use credible anti-virus with latest signatures and anti-spam filters. Do not open any link on an untrusted email.
User awareness is essential. Hence this information.
Once a computer is infected, this trojan connect to some specific domains or contact its specific C&C server.
You must back-up your data and files regularly.
You must have a working backup policy and plan. It should be Daily / weekly / fortnightly depending upon your data criticality and new addition or modification. Do not take backup on same computer. You backed-up data should be on removable media. Files on this removable media will not be encrypted, if not connected to computer. This will be your insurance. You can restore these files after cleaning the Trojan.
