How to Remove Crypto Locker
We had a call from a client with a strange virus asking for $300. As IT Professionals, we have seen this a million times and suit up to go save the day. We roll out to the clients location as normal, get inside for what we expect to be a 15 minute removal and find the most dangerous virus / mal-ware we have ever seen.
Crypto Locker is an up front, and honest program. It is not making false claims or trying to make threats it cannot deliver on. That is what makes it so unique when compaired to other malware programs out there. Like an arrogant little kid who knows he pulled a fast one over on you and you have no choice but to do what he says.
To sum up, Crypto Locker starts out by putting a big giant warning on your screen that tells you the following.
- I have locked up all your documents, and created a nice organized list of all the documents I locked up for you... want to see?
- No one can unlock your documents but me.
- I am the only one who knows the key to unlock your files.
- If you remove me, your documents will be lost for ever.
- You have X amount of time left to pay for this key or else we delete it and your files are lost forever.
- Now please click "next" and we will teach you how to recieve this unlock key.
So how do you remove it?
The answer is... you don't. You pay and hope they actually unlock your files or else you lose your files. Which is the second piece of this virus that makes it so unique. If you pay, they ACTUALLY UNLOCK your files. According to Geek.com
"Amazingly, paying the Cryptolocker ransom does actually initiate the decryption process."
We have also seen other accounts of payment resulting in unlocked files. Criminals who keep there word are a rare breed indeed. There is obvious risk that you might have a Crypto Locker knock off, who might take your money and run. So there is no guarentee. However if you have critical data that is locked up in Crypto Locker and you do not have backups (or your backups got locked up as well) then it might be worth the $300 gamble.
What should I NOT do?
DO NOT try to run an anti-virus and remove crypto locker. You will be successful in removing Crypto Virus but your files will still be locked up. And once the software is removed, or once the timer runs out they are not joking when they say noone can unlock the files.
How do I decrypt the files that Crypto Locker encrypted?
The only way to do this is to get the key that was used to encrypt the files. Below are examples of people who have tried to self-decrypt.
"The infected PC no longer shows the dialog box to pay the ransom. The timer ran out and now it is gone. I can find no trace of it, but the files are still inaccessible."
So far, noone has come up with any way to decrypt the files. This is because RSA-2048 is not a made up encryption. Infact... noone has ever cracked any RSA-2048 encrypted documents. Atleast not publicly and there is a $200,000 reward out for anyone in the world who can do so.
This means that without the key which the virus maker has, you cannot unlock your files, atleast not with any known methods that have been developed and are available to the public. There is not even any known ways of doing it by the government. From what we know, the NSA themselves could not unlock your files even if it was a matter of national security!
Can't I use someone elses key?
No, this encryption has a private and public key, and also has a separate key for decryption than it does for encryption. This is why if you remove Crypto Locker before the files are unlocked not even the virus maker can unlock it because he doesn't know which key goes to it.
This virus is 100% honest from what we can tell, and there is no other known method of retrieving the data other than paying, and then you are hoping the criminals are kind enough to continue to unlock the files. This might not be the news you are looking for but its the truth.
Even if you choose to pay to unlock the files, we highly recommend having the entire machine deleted then reloaded with a fresh operating system. They got in once and they might still be in your computer sitting and waiting for a month or two before they pull another lock down on you.
What can I do to protect myself or my business from Crypto Locker?
The best protection is a robust data backup plan, up to date antivirus and up to date patches from an experienced IT professional. If you have inhouse IT then have them walk you through the disaster recovery plan. If you are a small or medium company then outsource critical functions like this and get a Service Level Agreement which covers complete data loss.
No IT firm/person can eliminate all risk, but with proper planning even the worst senario can be mitigated.