CryptoLocker

POSTED: NOVEMBER 22, 2013

Recent activity of a highly dangerous ransomware, known as CryptoLocker, has been noticed on UK’s campus.

                  CryptoLocker encrypts certain files using a mixture of RSA & AES. After encrypting files, a CryptoLocker payment program screen appears that requests a ransom of either $100 or $300 to decrypt the files. A timer is also displayed, stating the time remaining to pay the ransom.  If the ransom is not paid by the allotted time, the encryption key is deleted and files cannot be recovered. The ransom must be paid using MoneyPak vouchers or Bitcoins. Once payment is sent and verified, the program will decrypt the files that it had encrypted. 

                  Cryptolocker is currently circulated through emails and the best way to stop its circulation is through user education.

 

University of Kentucky strongly encourages IT staff to educate users by completing the following steps:
1. Inform staff, faculty & students of the threat and methods of attack.

o   Alert users to be extremely cautious when dealing with emails.

o   Emails spreading Cryptolocker usually have a customer support related issue in the subject and, contain a ZIP file that holds executable PDF files. 

o   The PDF files normally look like this:  FORM_101513.exe or FORM_101513.pdf.exe

o   If a user is not sure about an email it is best to delete it. A legitimate email/user can be contacted, verified and have the email resent.

2.  Back up machines and data that are critical to UK business process/research, etc. if not already backed up.

3. Map network shares by UNC (Universal Naming Convention) Example: \\Networkshare\file

4.  Secure all open shares by only allowing writable access to the necessary user groups or authenticated users.

 

If a computer is infected with Cryptolocker:

1. Disconnect machine from wireless or wired network.

2. Contact local IT support.

3. Contact Security@uky.edu

4.  Reimage the machine and restore data from backup.
   (However, if the backup copy is infected with the ransomware, the clean machine may be reinfected).   

 

 If you have any questions please email  mike.carr@uky.edu

859-218-HELP (859-218-4357) 218help@uky.edu