GO
Loading...

With new malware, you have to pay to get your files back

CryptoLocker, a nasty new piece of malicious software, is infecting computers worldwide—encrypting important files and demanding a ransom to unlock them.

According to global digital security company Sophos, the malware has been hitting pretty hard for the past six weeks or so.

Henrik5000 | E+ | Getty Images

"It systematically hunts down every one of your personal files—documents, databases, spreadsheets, photos, videos and music collections—and encrypts them with military-grade encryption, and only the crooks can open it," said Chester Wisniewski, a senior security advisor at Sophos.

(Read more: What to do when managing someone else's money)

Your computer, even though it's infected, keeps working normally; you just can't access any of your personal files. It's scary, especially if you haven't backed up your data.

"Cybercrime is evolving as the bad guys get smarter and use newer technologies," said Michael Kaiser, executive director of the National Cyber Security Alliance. "They're always looking for new ways to steal your money."

CryptoLocker is different from other types of "ransomware" that have been around for many years and that freeze your computer and demand payment. Those can usually be removed, restoring your access to files and documents.

But CryptoLocker encrypts your files. There's only one decryption key, and the bad guys have that on their server. Unless you pay the ransom within three days, that key will be destroyed. And as the message from the extortionists says, "After that, nobody and never will be able to restore files. …"

(Read more: New security threat: Cash register skimmers)

The typical extortion payment is $300 or 300 euros paid by Green Dot MoneyPak, or for the more tech-savvy, two bitcoins, currently worth about $400.

To instill a sense of urgency, a digital clock on the screen counts down from 72 hours so you can see how much time is left before that unique decryption key is destroyed.

One victim described his anguish in an online post: "The virus cleverly targeted … all of our family photos, including all photos of my children growing up over the last 8 years. I have a distraught wife who blames me!"

This sophisticated malware is delivered the old-fashioned way: an executable file hidden inside an attachment that looks like an ordinary ZIP file or PDF. One small business reports being compromised after clicking on an email attachment that was designed to look like a shipping invoice from the U.S. Postal Service.

Open that file and bad things start to happen, although it may take several days for the ransom demand to appear on your screen after the machine is infected.

"The author ... is a genius. Evil genius, but genius none the less," an IT professional commented in an online tech forum. Another wrote, "This thing is nasty and has the potential to do enormous amounts of damage worldwide."

(Read more: Scammers target utility customers)

Good anti-virus software can remove CryptoLocker from your computer but cannot undo the damage—the encryption is that good.

"It's the same type of encryption used in the commercial sector that's approved by the federal government," Wisniewski told me. "If the crooks delete that encryption key, your files are gone forever. Even the NSA can't bring them back."

Victims large and small

The cybercrooks are targeting both businesses and individual users—anyone who will pay to regain access to their files.

The CryptoLocker forum on BleepingComputer.com is filled with page after page of horror stories. Here is a small sample:

"When we discovered the infection from a user's workstation on the network, this program had encrypted over 180,000 files through the network shares in a period of 6 days. I pretty much shut down the business for 2 days after we realized what was happening."

"Our company was infected this morning. The virus hit a machine 4 days ago and today we got the pop up about the ransom. All files on the network drive the user had access to are now encrypted."

"We had a workstation get infected yesterday that encrypted everything on our network share drive. We had backups, although they weren't recent enough, so despite all feelings against it, we paid the ransom and everything started to decrypt overnight."

Of course, there's no guarantee of a happy ending even if you pay the ransom. And then there's the bigger issue: By paying, you're helping to fund a criminal operation.

"It encourages them to continue," said Howard Schmidt, former White House cybersecurity advisor and a co-founder of Ridge-Schmidt Cyber. "As people pay the ransom, the bad guys have the money to reinvest."

How to protect yourself

Go on the Internet and there's no way to be sure malware won't make it onto your computer— even if you follow all the rules of safe computing. So you need to act defensively, and that means regular backups.

"Back up, back, up, back up," Schmidt said. "That's the only way to reduce the risk of losing your files forever."

If you have a recent backup, you can recover from CryptoLocker without serious consequences. That backup should be a snapshot of everything on your system rather than a simple synchronization, as happens with most automated external hard drives and many cloud-based services.

With synchronized backups, stored files that have changed on the master drive are overwritten with the new ones. If a malicious program encrypts your master files, those backups would also be encrypted and thus useless. Your backup should be disconnected from your computer until the next time you need to access it.

—By CNBC contributor Herb Weisbaum. Follow him on Facebook and Twitter @TheConsumerman or visit The ConsumerMan website.

Contact Cybersecurity

  • CNBC NEWSLETTERS

    Get the best of CNBC in your inbox

    › Learn More

Squawk Alley