A new malware threat, first known to be causing trouble in September 2013, is CryptoLocker. It is known as “ransomware” because it prevents you from accessing your files unless you pay money to the authors of it. It does this by encrypting the files on all local and mapped network drives that your computer can access, including staff and student home folders, departmental shares, and removable media such as memory sticks and USB-connected drives. If there’s a drive letter for it (e.g. C: D: E: H: S: etc) then it is at risk. Affected files can only be unencrypted using a key that you are forced to pay for.
If your computer has been infected you will see the dialog below. If a pop up window like this should appear on your PC, you should IMMEDIATELY POWER OFF YOUR COMPUTER and seek help. The reason for this advice is that the message is displayed early in the encryption process. By stopping it as soon as possible you reduce the number of files that you might lose.
Further advice for users of personal devices (laptops, tablets, etc) is to ensure that you have backup copies of your files held on a device which is not permanently connected to your computer i.e. a memory stick or USB drive that you connect only for the purpose of backing up and then remove while you are actually using the computer for normal activities. In the case of network drives, Information Services back these up and files can probably be recovered if IS are notified soon enough that you are a victim of this type of attack.
To reduce the risk of being attacked in this way follow the standard advice from Information Services at all times: http://blogs.stir.ac.uk/isnews/?p=3144
More information about this specific threat can be found in the media at:
- You’re infected—if you want to see your data again, pay us $300 in Bitcoins
- Fiendish CryptoLocker ransomware: Whatever you do, don’t PAY