Cryptolocker ransomware found on campus

The Office of Campus Information Security (OCIS) is aware of a relatively new ransomware trojan actively attacking campus users and computers. The ransomware is commonly called Cryptolocker, but is detected as Trojan.Ransomcrypt by Symantec or Trojan:Win32/Crilock by Microsoft.

Like all file encrypting ransomware, Cryptolocker’s goal is to encrypt your data and try to sell it back to you, or else. ¬†Unfortunately, the bad guys that wrote Cryptolocker did something that other ransomware has not always managed–they got their encryption right. Once your files are encrypted, there is no way to decrypt them without paying the ransom.

Cryptolocker uses standard malware attacks to get itself on your computer: social engineering emails with the trojan attached, drive-by downloads from infected web sites, and inclusion in additional malware downloaded by other trojans already infecting a computer (botnets).

Antivirus applications are detecting Cryptolocker, but are struggling to successfully block it before it encrypts files.

What can I do?

Paying the ransom is not recommended, however, once your files are encrypted, the only sure way to get them back without paying up is from a backup.  So prevention is much better than a cure.

– Avoid opening attachments that you weren’t expecting, or from people you don’t know well.

– Patch your operating system and applications.

– Run up-to-date antivirus software and be sure to have it check for new virus definitions at least once a day.

– Make regular backups and keep at least one copy of your backups offline.¬† Backup systems like Dropbox or Carbonite will happily backup the encrypted files for you, but they won’t help with recovery if you happen to get infected.

For additional information about Cryptolocker, please see Sophos’ NakedSecurity blog post here:

If you believe that you are infected with any malware, and not just Cryptolocker, contact the DoIT Help Desk for assistance: