My files are encrypted, now what?

Having first heard about the CryptoLocker ransomware about 6 months back I remember thinking to myself, 'Holy crap thats a pretty bad virus' as it doesn't target your computers operations at all, but it targets your personal files themselves. The files which make your personal computer of any value at all.

With 'normal' viruses they usually are disruptors trying to break your computers functionality and potentially causing irreversable damage to your operating system (Microsoft Windows variant in most cases). These types are a pain to deal with but you always have the option of copying data from the drive, formatting, and re-installing your operating system. Time consuming and disruptive yes but usually after one of these infections you don't lose any personal files, photos or music it is just the operating system that gets screwed.

Something tells me this aint a good thing

One of my clients friends recently got in contact with me to try fix a computer that had contracted the CryptoLocker ransomware. Now how this particular ransomware works is that you get an email with an attachment the criminals want you to click on. In the case of Australia they have been posing as Australia Post, RTA infringement notices, something that will entice you to click on the attachment. Once you have clicked on said attachment the rogue program gets to work and starts encrypting all your personal files thus making them inaccessible by you or anyone else. If you have decent security program that is kept up to date it should stop and delete the rogue program immediately, (but I wouldn't want to test this out as many variants of the rogue program exist).

After the program has started its encryption of your files it will show a popup asking  you to pay a ransom to get the decryption key which will allow your files to be restored and accessible, the fee can range from $100 - $2000 from what I have read, but that is assuming you can even access the site to make a payment to the criminals.

In my experience the user in question had:

1. No Backups
2. Let the virus be active on the computer for 10+ days
3. Shadow copies on but since the virus had been on for so long the shadow versions were encrypted too.
4. No access to the page to actually pay the ransom, either the virus has a shelf life where the links are only active for a short duration, or law enforcement had taken the sites offline.

So in the end all I could do was remove the ransomware, so no new files were encrypted and thats it, now the computer is full of encrypted inaccessible files. The only long shot I had was to head to https://www.decryptcryptolocker.com/ its a free service whereby you can upload one of your encrypted files and based on the encryption key they 'might' be able to send you the decryption key which can be used to restore the files. Unfortunately there are many variants of the CryptoLocker ransomware that it doesn't work for all, but nevertheless I tried and it did not work, website says invalid file. The other thing I tried was contacting Fox-IT directly, they were very helpful but only confirmed my suspicion that there was nothing the user could do to recover the files.

Lesson's for all to learn:

1. Keep an external backup drive with all your files on it (especially home photos and videos)
2. If something doesn't seem normal on your computer, get it looked at
3. Don't open attachments from emails where you ask yourself, I wonder how they got my email address?
4. If any email has a zip file attached be very wary of clicking on it
5. Keep an up to date security program on your computer in case you do accidentally open something malicious. It may save you.
6. Keep an external backup drive with all your files on it (especially home photos and videos), yes this is mentioned twice, it is that important.