Media and IT threads are lighting up on this one.  It’s pure blackmail, cold and hard.

From the Asbury Park Press

From SpiceWorks (Industry discussion forum)

From PC World

From Reddit (Social Bookmarking site)

From the FBI

From Wall Street Journal Video  (Starts at the 2:00 marker)

As of the time of this writing, most anti-virus software is NOT reliably detecting this Malware.  It can be gotten from a variety of ‘vectors’ including email attachments, social media sites, websites etc.  Although we hope people know not to click on various links etc, unfortunately, this nasty malware relies on just one person in your organization doing the wrong thing.

An employee of Clients First was hit with it this last night on a home computer and lost all his data which he didn’t previously back up. His anti-virus was completely up to date at the time.

Why is this particular malware so devastating??

When just one individual in your organization clicks on the ‘payload’ nothing immediately appears wrong.  However, behind the scenes the following is happening:

  • Cryptolocker scans all your local hard drives.  It then begins randomly encrypting all critical files & documents with an RSA 2048 bit encryption key.  This is millions of times stronger than most military grade encryption (usually 256bit) and is literally impossible to decrypt without the appropriate key.  It does this fairly slowly so that it purposely has time to spread to other machines which may have access to other shared server data as well as more local hard drive data.
  • It’s smart enough not to encrypt your program files so that your machine can boot properly and programs can continue to operate so you won’t immediately notice what happened.
  • Here’s where it can get ugly for your organization.  Next Cryptolocker scans all available network drive shares and starts encrypting the files on your network as well.
  • It may be days or even weeks before people notice something is wrong.  At first, a user might assume that the file they are attempting to access is merely corrupted.  Especially if the infection occurred on a different machine so they don’t see the ransom message (Above)
  • A user could get this virus at home and not even know it.  Then either connect to the office via a VPN or bring their laptop into the office at which point it will begin encrypting the data files on all the network shares that user has access to
  • After encrypting your files the above shown Ransom message appears.  They only give you 72 hours to pay or the encryption keys are destroyed.  You are asked to pay $300 and if you do it should start decrypting your files.  However, as discussed in the above linked websites, the servers that do the decrypting have been offline more than online so the majority of users making the ransom payment haven’t been getting their files decrypted and there is almost no way to get your money back without filing a complaint with the FBI


Removing the Cryptolocker virus eliminates any chance of ever decrypting the files.  Even if you purposely re-infect your machine, the encryption key will be different and completely useless.

How to protect against it

  • Obviously maintain quality anti-virus and malware software.  Microsoft’s free Security Essentials (which is embedded in Windows 8 as well) is no longer recommended by Microsoft as a viable defense.  Read HERE.  In this particular case, most of the top anti-virus solutions still aren’t reliably detecting this before encryption occurs and this malware will inevitably morph again to become undetectable.  It will probably spawn numerous copycats as well because the money making opportunity here is staggering.
  • Continually train your end users about clicking on email attachments, websites they aren’t familiar with, links on Facebook or LinkedIn etc.

According to PC World, a top grade backup solution and procedure is your only real solution to this and future problems.  Many inexpensive cloud solutions like Carbonite will fail you on this one.

  • Most online backup solutions like Carbonite, Sugarsync, Mozy etc continuously backup your files.  This means they will continuously backup your encrypted files.  Some of these services allow you to restore a file from a prior version (for Carbonite, up to 30 days back) but they were designed for a situation in which a user accidentally overwrites one or two files with a newer version they didn’t want.
    • They are not designed for mass restores of thousands of files from a prior point in time.  If you had a server with 10,000 data files corrupted and backed up by most cloud backup vendors, you would literally have to ‘right click’, select ‘versions’ and ‘restore’ each and every file manually.  Needless to say this could take weeks and drive a person to insanity.  It might even take longer than the 30 days they retain prior versions.
  • You need a snapshot based backup solution in place with multiple versions, constant offsite rotation of media and well tested and easy restoration from a prior point in time. Typically this is done with tapes or removable hard drives  This way you would eliminate the virus, and then restore your files from a backup that was made before the infection occurred.

EverSafe! is hands down the best way to handle this new wave of malware

Clients First’s EverSafe! Backup & Disaster Recovery solution (BDR) will offer you zero downtime if you were unfortunate enough to become a victim of this.

  • Upon initially realizing you’ve been ‘held up’ for ransom you would investigate the time of the first file that is encrypted.  Based on this date & time you could simply restore all your affected shared directories from a point in time that occurred. That’s what we did for one of our clients that was hit with Cryptolocker last week.  They haven’t skipped a beat.  Had they not had EverSafe! in place, they were at severe risk of data loss.
  • Due to its unique ability to ‘fail over’ from your server, if your server became infected, you would take it offline.  Then boot up a copy of the server from a prior point in time within the EverSafe! appliance and your users would continue working as normal with no downtime.  Then after you have either removed the virus, or reformatted the server to a factory state, you would use EverSafe! to quickly restore your entire server ‘snapshot’ to your production server after hours.  Users would then continue working without interruption

Why is EverSafe! better than just traditional on-site file backup or Cloud backup?

We explain this in detail over at  In a nutshell:

  • EverSafe! continually takes snapshots of all your servers and data.  It can be as often as every 5 minutes.  This is a complete ‘point in time’ clone of your entire server including data files, operating system, applications etc.
  • EverSafe! continually boots up the snapshots inside a local on-premise appliance and emails you a copy of the login screen so you are assured its ready to stand in for your production server should anything happen such as a hardware failure, human error or this nasty Cryptolocker.  Lack of constant testing is the #1 reason for failed restoration attempts
  • If you suffered a disaster on-premise such as a fire, hurricane, flood etc, EverSafe! is continually backing up your snapshots into two highly secure data centers in the cloud that are completely isolated from both your servers and end users so no virus could ever ‘reach out’ and touch those files.

We find too many ‘traditional’ backup solutions are not tested nearly enough, often end up with offsite rotations that could lead to weeks of work lost, and poor overwrite practices that might result in you not having a reasonable version to restore from at a point in time before the encryption occurred.

What would it mean to you if all your critical data files became useless??