CryptoLocker, Ransomware, and the Importance of Good Backups

CryptoLocker attacks have become more frequent and public. CryptoLocker is a type of ransomware that stealthily encrypts all available files on the infected computer or attached shares or devices. Then the computer user is warned that the files can only be decrypted with a key that must be bought and installed within 100 hours.

Of course this is extortion. But Symantec estimates that 3% of victims pay up, which is enough to net the extortionists millions of dollars per month.

Recently, a law firm's entire store of legal files was encrypted and unable to be decrypted. Consider the potential implications of being legally responsible for these documents and being responsible for their destruction through negligence.

Removing the infection from the computer is relatively straightforward. There are free tools, such as this tool from Sophos. Alternatively, you can roll your system back using Windows System Restore, if you had enabled that feature before you were infected. Other, more intrusive methods may be needed, if these do not work. These tools can remove the infection, but decrypting the encrypted user files is not likely to be possible.

If your files have been encrypted, you are going to need to recover from backup. Once your PC has been disinfected, you can attempt to recover files from Shadow Volume Copies (which is part of Windows' System Restore). But you are most likely to be successful if you have been backing up to a system that did not allow the infected PC to overwrite your backups.