What file types are affected by this worm? Here are some, but not all, of the file types it will encrypt on your computer. One they have been encrypted, you will not be able to access them: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c. <\/p>\n
When it has finished encrypting your data files it will display the CryptoLocker screen:<\/p>\n
![\"Cloudeight](\"http:\/\/thundercloud.net\/infoave\/images\/2014\/cyptolocker3.png\")
<\/p>\n
CryptoLocker wants you to pay the ransom by sending 2 bitcoins to an address (URL) that is dynamically generated. Bitcoin payments cannot be traced. A Bitcoin is worth around $200 U.S.D. If you want to know more about what Bitcoins are see http:\/\/en.wikipedia.org\/wiki\/Bitcoin<\/a> . If you don’t want to get the details about Bitcoin — essentially it’s a way to pay and get paid anonymously — payments cannot be traced back to the payee or payer (theoretically — the NSA and FBI not withstanding). <\/p>\n As we said, once you’re infected, removing the infection will not decrypt the encrypted files. So the best way to avoid all this is to not become infected. As we pointed out, Emsisoft is one of the very few antivirus\/anti-malware programs that will prevent you from becoming infected in the first place. <\/p>\n Users of Emsisoft Anti-Malware are not at risk of falling victim to either CryptoLocker or the malware downloader from the initial email campaign, unnoticed, as both are no match for our award winning behavior blocking technology.<\/em> <\/p>\n But we know, not all of you have Emsisoft — so what happens if you do become infected?<\/p>\n #!. DO NOT PAY THE RANSOM. #2. Keep your pictures and documents and other important files backed up in “the cloud”. There are many good, free, cloud storage services and some offer a generous 5GB of space — and you can have more than one. Keep a good image back-up on an External drive – but keep in mind any drive attached to your computer is subject to infection.. Keep a backup of those files you simply cannot replace on off site on a good cloud storage service online. There is some suggestion that the CryptoLocker infection may encrypt files on external drives as well. These probably would not affect image backups since most backup programs store their backup files in proprietary format. But just in case, do use a good cloud storage service to back-up your irreplaceable files — pictures, documents, videos, movies, etc.<\/p>\n #3. Don’t forget System Restore. System Restore offers you a way to restore your files to a time before you were infected.<\/p>\n At the first sign of infection do this:<\/p>\n 1. Do not panic *Windows XP users: At the command prompt type CD: C:\\Windows\\System32 (exactly like that) and press Enter. The command prompt will now look like this C:\\Windows\\System32> . At that prompt, type RSTRUI.EXE and press Enter. Then follow the instructions above starting with #10.<\/p>\n ** Windows 8 and Windows 8.1 users: See this guide for booting into safe mode on Windows 8 and 8.1. http:\/\/www.howtogeek.com\/107511\/<\/a><\/p>\n A reminder: If you get infected, removing CryptoLocker with your antivirus program or anti-malware program (if they can even remove it) will not solve your problem; it will not unlock your files, so you will still not be able to access them. The files are encrypted and the only way you’ll be able to open them again is with the decryption key — which you don’t have and won’t have unless you pay the ransom— DO NOT PAY THE RANSOM no matter what. If you do you’ll be part of the problem because you’ll be encouraging the criminals to develop more of this kind of stuff.<\/p>\n The best way to deal with this threat is to not get it in the first place. Emsisoft users are protected. If you don’t have Emsisoft (and even if you do) safe computer operating procedures are important. Never open an attachment you were not expecting AND do not open an attachment unless you’re positive you know who sent it. You cannot be positive by simply looking at the sender’s address — it could be forged. If in doubt, and it’s a friend of yours, call them or write them and ask if they sent you an attachment — and ask what it is. <\/p>\n The best advice though is : NEVER open an attachment from an email.<\/p>\n","protected":false},"excerpt":{"rendered":" There’s a relatively new variant of an older Trojan\/worm spreading across the Internet and this one is unusually bad because of the way it works and because if you’re not wary it could cost you $300 or more — and because most antivirus programs don’t catch it until it is too late. It’s commonly called CryptoLocker — it’s\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"_links":{"self":[{"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/posts\/6397"}],"collection":[{"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/comments?post=6397"}],"version-history":[{"count":0,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/posts\/6397\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/media?parent=6397"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/categories?post=6397"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/tags?post=6397"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Cloudeight](\"http:\/\/thundercloud.net\/infoave\/images\/2014\/emsi-cryptolocker.png\")
Above – Emsisoft blocking CryptoLocker <\/p>\n
No matter what — do not pay these criminals a cent.<\/p>\n
2. Shut your computer off using the power switch \u2013 DO NOT REBOOT – some computers are made so the power switch is set to reboot the computer — only holding it in for several seconds will shut it down. It is important that the computer be turned off completely; if necessary unplug your computer from the wall.
3. Wait 2 minutes
4. Turn your computer back on using the power switch
5. Immediately after pressing the power switch, start pressing the F8 key continuously and rapidly until you see the Safe Mode boot menu
6. From the boot menu select \u201cSafe Mode with command prompt\u201d *** This is important *** if you choose any other version of safe mode, the CryptoLocker will load. Be sure to select SAFE MODE WITH COMMAND PROMPT
7. You will see Windows loading files \u2013 it may take a long time.
8. When everything is loaded, you\u2019ll see a black screen with a command prompt which looks like this: C:\\ > <\/strong>
9. At command prompt type RSTRUI.EXE (WINDOWS XP users see the note below* – Windows 8 and 8.1 users see note below **)
10. Windows System Restore will load \u2014 but it may take a very long time \u2013 don\u2019t panic, be patient.
11. Select a restore point at least 2 days prior before the date of the infection
12. Run System Restore
13. Once System Restore is finished, you\u2019ll boot into Windows and you be back to normal.<\/p>\n