CryptoLocker Virus Information and Prevention

In recent weeks, virus companies have discovered a new ransomware virus known as Cryptolocker. This ransomware virus is extremely nasty and disruptive because computers infected with this virus are at risk of losing their files PERMANENTLY.

This virus is currently known to spread through email attachments, phishing attacks, “drive by” attacks as well as being pushed to computers that have been previously infected by botnet viruses.

The Cryptolocker virus encrypts users’ files using asymmetric encryption, which requires both a public and private key.

Asymmetric Encryption

The public key is used to encrypt and verify data, while private key is used for decryption, each the inverse of the other.

Once a users files are encrypted the ONLY way to decrypt the files is with the private key that the virus writers demand a ransom for.

At the present time, infected users are being instructed – through a warning displayed on the infected computer(s) to pay $300 USD to receive this private key. Payment can only be made by non-traceable, and non-refundable methods – Bitcoins and MoneyPak

Users that are infected with this virus are presented with a time limit to send the payment. If the “ransom” is not paid within the time limit, the private key is destroyed, and your files may be lost forever.

Cryptolocker Ransomware Screen

Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:
3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

The team at BleepingComputer have put together a detailed FAQ on this virus that can be found here.

While virus and malware scanners can remove the cryptolocker virus from your computer(s), these programs CANNOT decrypt any files.

It is vitally important to remember that IF YOU RECEIVE A FILE YOU WERE NOT EXPECTING, DELETE IT – DO NOT OPEN IT – THERE ARE NO EXCEPTIONS!

There are documented ways to protect your computers from running (executing) programs in the folders/directories that the Cryptolocker virus has been found to run from. These instructions can be found here.

For users that are not comfortable with making these type of changes to their PC’s a program called CryptoPrevent is available for download.

CryptoPrevent is a small utility program to lock down any Windows OS (XP, Vista, 7, 8, and 8.1) to prevent infection by the Cryptolocker malware or ‘ransomware’, which encrypts personal files and then offers decryption for a paid ransom.

GreenTree Hosting has licensed CryptoPrevent Premium enabling us to offer CryptoPrevent Premium for download to our customers and visitors to this website.

CryptoPrevent Premium offers:

  • Worry free, hands free, automatic and silent updating on a daily schedule.
  • NEW!  Email alert option to notify you via email when an application is blocked.  (email setup required.)
  • Keeping CryptoPrevent current provides the latest protection and compatibility.  Malware updates itself!  Shouldn’t you update CryptoPrevent to keep it relevant?

Currently GreenTree Hosting is offering the download of CryptoPrevent Premium for FREE.

Kindly Note: Virus Scanners and/or your PC Settings may disallow the download of this file as it is a .exe file. You may need to temporarily disable your anti-virus, click a more information button or manually allow the download to happen on your PC. This is a safe file to download that is designed to make changes to your PC to prevent the installation of CryptoLocker and other destructive malware.

GreenTree Hosting is making this software available for free with no implied or expressed warranties or guarantees.

For full information on CryptoPrevent and CryptoPrevent Premium – visit the software vendor, Foolish IT

CryptoPrevent Premium can be downloaded for FREE at this link.

GreenTree Hosting Branded CryptoPrevent

In addtion to CryptoPrevent, we also recommend the installation of CryptoGuard available from SurfRight, available at this link.

CryptoGuard vs CryptoPrevent Comparision

CryptoGuard and CryptoPrevent are two different applications that can be used together to protect your PC.

CryptoPrevent is a tool that writes 200+ group policy object rules into the registry in order to prevent executables in specific locations from running. Typical locations set by CryptoPrevent are %appdata% and %localappdata%.

But … malware is not restricted to the above locations.  Malware can run as an exploit in your web browser, it can inject itself into running processes (e.g. explorer.exe, svchost.exe, etc.). Malware can copy itself to the desktop or startup folder on your start menu. The potential locations and processes for your PC to be infected by Malware is nearly endless.

This is where CryptoGuard differs from CryptoPrevent.

CryptoGuard doesn’t look at where the ransomware is running, it looks at what it is doing to the file system.

CryptoGuard is available for download from SurfRight at this link.

Cryptolocker FAQ’s:

  • I have virus and malware scanners on my PC, won’t these protect me?
    • Given the constantly changing nature of this virus, it is possible to get infected even with virus scanners that are up to date
  • Can I download any virus or malware scanners that will prevent infection?
    • Given the constantly changing nature of this virus, it is possible to get infected even with virus scanners that are up to date. That said, we do use a number of scanner programs on our computers including Microsoft Security Essentials and Malwarebytes Anti-Malware Pro. Malwarebytes makes the claim that “Users of Malwarebytes Anti-Malware Pro are protected by malware execution prevention and blocking of malware sites and servers.”

More information about Cryptolocker, CryptoPrevent, Microsoft Security Essentials and Malwarebytes can be found at these links: