The past few weeks have been filled with reports of workstations and servers being hacked with the Cryptolocker / Ransomware malware. It is being called one of the worst malware attacks ever seen. And these attacks are occurring even when anti-virus and anti-spam filters are in place.
http://blog.emsisoft.com/2013/09/10/cryptolocker-a-new-ransomware-variant/
Please do not treat this lightly!
The result of this attack is that files on your computer will be encrypted with a high-level 128-bit encryption key. And it will quickly spread to any mapped drives or USB drives that are attached. And even worse — there is no known tool to unencrypt these files.
This malware often comes in through rogue emails that appear to be from FedEx, UPS, Amazon or other similar purchasing sites. It may be a link in the email, or an attachment. But clicking on the link or the attachment is all that it takes.
SHUTDOWN YOUR COMPUTER IMMEDIATELY
You will know if you have been infected with the Cryptolocker malware, because you will see a large message on your screen telling you to pay a ransom to get your data files back.
Do not attempt to run any anti-virus or anti-malware utilities. If you see the ransom message, turn off your computer immediately. Power it off and disconnect your network cable.
BACKUP – BACKUP – BACKUP!!!!
The best advice anyone will give you is to make sure you have up-to-date backup of your servers, workstations and your data. Because if you get caught by this malware, you will need to restore your data from backup. It primarily seeks out office files (Word, Excel, etc.), but will also look for database files (Access, FoxPro, etc.)
Cryptolocker can be removed using well know malware removal tools, such as MalwareBytes. But these tools CANNOT unencrypt your infected files.
DO NOT PAY THE RANSOM!
The Cryptolocker malware will display a large warning message that your computer has been compromised, and that you can recover your files if you pay the required ransom (anywhere from $100 to $300). But they say that you only have a limited amount of time to pay this ransom, generally 72 hours.
Even though there are some people who have reported paying the ransom and getting their files unencrypted, I cannot condone such actions. Not only is there is no assurance that the cleanup will take place if you pay the money, it still remains that your system has been compromised.
REFORMAT and RELOAD
I strongly advise to reformat infected systems and restore Windows, either from backup or as a clean install.