Post by Willow on Dec 5, 2013 13:05:16 GMT 9.5
CHRIS GRIFFITH THE AUSTRALIAN DECEMBER 05, 2013 12:00AM
DEVASTATING malware that makes users' computer files unreadable until they pay a hefty ransom has begun infiltrating Australian computers after wreaking havoc in Britain and the US.
The so-called "ransomware", known as CryptoLocker, silently encrypts files on Windows computers, along with files on any connected network storage or USB devices, rendering them unreadable.
Once the encryption process finishes, it tells users to pay a ransom, which so far has been $100, $300 or two bitcoins, currently worth about $2400.
Users become infected when they open email attachments from what appear legitimate sources such as delivery firm FedEX and anti-virus providers Symantec and McAfee. CryptoLocker also can piggyback its way into your computer via other malware.
Cybercriminals have targeted "tens of millions of UK customers", says Britain's National Crime Agency.
In the US, its victims include the Swansea, Massachusetts police department. It yesterday confirmed to The Australian that it paid for a decryption key to unlock its files. The amount has been reported to be $US750.
The malware was first reported about September.
Anti-virus firm Kaspersky Lab Australia-New Zealand yesterday said Australians had been targeted as part of a second wave also hitting India and France.
Kaspersky Lab technical manager Sam Bryce-Johnson said computers belonging to Australian users already were being infected. He said an Australian IT service provider had contacted him saying it had infected customers and was asking for advice.
"I think we'll see more of it," Mr Bryce-Johnson said.
Read more: Getting yourself a back-up plan
The sophisticated encryption used by CryptoLocker means that victims have little choice than to pay the ransom, unless they have an offline backup that is unaffected.
The malware has been programmed to encrypt files on devices attached to the affected computer, which renders online back-ups useless as they, too, can be encrypted.
The cybercriminals have programmed the malware to destroy "shadow" copies -- automatic back-ups made by Microsoft Windows --so they cannot be a source for recovering files.
Australian universities are warning they can do nothing to help staff whose computers are infected other than suggest they rebuild a computer from scratch.
Charles Darwin University, in an online post, warns users "it is not possible to decrypt files affected by CryptoLocker by any other means than paying the ransom".
In an email to staff, Griffith University chief technical officer Bruce Callow said a number of universities had experienced problems with CryptoLocker and there may be little the university could do to help victims.
"If your PC gets infected with Cryptolocker, it is highly improbable that ITS will be able to restore your PC to working order intact. The only real option available is to completely erase the computer and reinstall from scratch," the email said.
The cybercriminals responsible have proved elusive, often opting to receive the ransom money in bitcoins; the open source, peer-to-peer online currency is preferred by criminals because it is hard to trace online transactions.
Rather than helping, anti-virus software has sometimes hindered victims of CryptoLocker by deleting the malware, but in doing so making it impossible for users to apply the decryption key and get their data back.
Having observed the problem, the cybercriminals responded by offering victims a link where they could manually download CryptoLocker again. This has led to the farcical situation of some victims reinstalling the CryptoLocker ransomware so that they can perform the file decryption process.
The cybercriminals too have been cagey. They’ve cultivated a reputation of honouring their commitment to provide decryption keys when the ransom is paid – a move that’s believed to enhance the likelihood of future victims shelling out their cash.
But would you trust them to honour their word when you are paying hundreds maybe thousands of dollars to an anonymous source across the internet?
Given they also have made a killing in trading Bitcoins, with their value jumping from $237 to $1200 in a month, some recent versions of CryptoLocker are asking for 0.5 Bitcoins instead of 2 – a recognition by the criminals of a limit beyond which victims may be more reticent to pay.
Users are typically given 72 hours to pay or the unique, private decryption key they need will be destroyed, or the price for the key jumps to exorbitant levels.