A new computer malware program called CryptoLocker is spreading across campus. Several individuals’ computers and even some college share drives have been attacked. The program will make all of your files inaccessible and ask for a ransom to access them again.

CryptoLocker disguises itself as a pdf or zip file attached to an email. When the attachment is clicked, the virus installs itself into the user area of the Windows registry. This area does not  require administrative access to run. And so the virus bypasses our regular security.

Once the malware is installed, it scans all drives attached to the user’s computer (including network drives such as department shares) and systematically encrypts the files so that they are no longer readable. The program then prompts you to pay a “ransom” usually about $300 to get a key to decrypt the files. The funds are collected in offshore accounts, and are beyond the reach of U.S. laws.

To combat extortion, service providers are shutting down the key servers as fast as they are popping up on the Internet. This could result in a user having encrypted files, paying for a key, and not having access to that key.

The first level of security is at the email level. Our email system has been able to identify and remove a number of the CryptoLocker attachments, but we can’t count on 100% success with email filtering. Assuming that some can get through, to prevent the program from installing, Technology Services – Student Affairs is implementing a policy to prevent the installation of programs in the user area of the Windows registry. This impacts a number of common applications which also use the user area. A  list of exceptions for common programs includes:

  • Dropbox
  • Chrome
  • Argos reporting
  • Spotify
  • Pandora
  • Google Talk

These six programs account for 83% of all programs installed in the user area in the division.

To avoid loss from this malware program, do NOT open attachments unless you are expecting them and back up your most important files.  If you suspect you have been hit with the CryptoLocker malware program, contact the Service Desk.

More information about this malware program can be found at http://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/.
If you have questions, contact the Service Desk Central at 979.862.7990 or [email protected]