The internet has been rocked by reports of a new form of ransomware making its rounds.
Called Cryptolocker, the malware first hides in an attachment to a phishing message from a business copier like Xerox delivering a PDF of a scanned image by way of UPS or FedEX offering tracking information, bank letter confirming a wire, or ACH transfer. The PDF file is actually an .exe fooling potential victims.
The target files for Cryptolocker are the following once executed:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
It then encrypts the file using a public key and makes a record of the file in the Windows registry under HKEY_CURRENT_USERSoftwareCryptoLockerFiles when it finds a file matching that extension. That's when the ransom prompt appears informing users that files have been encrypted and they must use prepaid cards or Bitcoin to send hundreds of dollars to the malware's author. Usually a four-day time limit on the payment option, the malware's author claims the private key required to decrypt the files will be deleted if the ransom is not received in time. The decryption usually begins once the payment has been made. Trying anything else means the users' files are gone forever.
Quick Heal, a cyber security firm, said that it discovered the ransomware early September 2013 and is seeing over 500 incidents per day and being reported from all over India. The company also mentioned something similar to Cryptolocker going by the name of "Anti-Child Porn Spam" infecting computers.
For now, the best way of prevention is through regular software restriction policies and SRP Applocker. Instructions on how to deal with the malware is here.