GO
Loading...

CryptoLocker crooks launch 'customer service' site

Here's a first: Crooks who understand the importance of customer service.

It's the latest twist in the global CryptoLocker ransomware attack. This diabolically nasty malware locks up all of the victim's personal files—and in some cases, backup files—with state-of-the-art encryption. The bad guys have the only decryption key and demand $300 or two bitcoins to release the data.

"It's been a disaster for many of the people hit with it," said Lawrence Abrams, who has been tracking the spread of this infection on BleepingComputer.com

Within the past few days, the criminal gang behind CryptoLocker created a site for people who need help making their required extortion payments.

Source: CryptoLocker

"These guys have some big cojones," said security expert Brian Krebs, who writes the KrebsOnSecurity blog.

The CryptoLocker Decryption Service enables victims to check the status of their "order" (the ransom payment) and complete the transaction. Yes, you are reading this correctly!

(Read more: With this malware, you pay to get your files back)

Those who paid the ransom (with either Green Dot cards or bitcoins) but did not get the decryption key—or got one that didn't work—can download it again.

Those who missed the 72-hour deadline can also get their key, but the price jumps to 10 bitcoins from two. At today's market value, that's nearly $4,000. And Green Dot is not accepted with this extended-deadline service.

Why are the CryptoLocker crooks doing this?

"They were leaving money on the table," Abrams told me. "They created this site to capture all the money they were losing because people couldn't figure out how to make the ransom payment or missed the deadline."

(Read more: Are for-profit colleges unfairly 'targeting' vets?)

The bad guys also ran into some technical problems after launching their attack. It turns out that when antivirus software removes CryptoLocker from an infected computer, the victim can no longer pay the ransom to unlock their files. To do that, they had to reinstall the CryptoLocker malware—something that was not only weird but cumbersome.

By using the customer service site, victims can get a key that will unscramble their files without reinfecting their computers.

Is this the new reality?

Law enforcement and cybersecurity experts always advise victims of ransomware attacks not to pay, as that money funds a criminal operation and there's no guarantee the files will be released.

But when you're the victim, when all of your data has been encrypted and you don't have a suitable backup, you're faced with two choices: Pay up or have those files frozen forever. That's why so many people are paying and why security experts fear more of this nasty malware is on the way.

"Anytime you see an underground business that is doing well, you will always see more people copying it," Krebs said. "Unfortunately, I think these destructive attacks are here to stay, and they're only going to get worse and more intense."

Sean Sullivan, security advisor at F-Secure, agrees.

Until now, ransomware attacks were limited by the lack of a global payment method. It took a lot of work to get paid in different parts of the world. Bitcoin, the new digital currency, solves that problem.

(Read more: Have a problem with a payday loan? Call the feds)

"CryptoLocker, using bitcoin, might finally have reduced the overhead of not having a global form of payment," Sullivan said. "We're getting to the tipping point where ransomware will become epidemic because it's not that hard to get paid anymore."

CryptoLocker: A new method of attack

Security experts tell me CryptoLocker is delivered in a Zip file attachment. If you open that attachment, and the malware is loaded onto your machine.

Because some antivirus software can now detect CryptoLocker hidden in a Zip file and prevent the infection, the bad guys modified their attack a few days ago.

According to Abrams at Bleeping Computer, the files are now password-protected—a trick that gets them past security software.

It appears that the password "PaSdIaoQ" is the same for everyone, he said. Open that attachment and your files are toast.

How do you protect yourself?

It's the same advice you're heard before: Don't open attachments from an unknown sender, have up-to-date security software and back up your files religiously. And because CryptoLocker can compromise files that have already been backed up, you need to reassess how you do your backups.

Network drives (whether physical or in the cloud) that are always connected to your computer are often vulnerable. Krebs suggested doing a manual backup and then disconnecting the drive when you're done. It's a lot more work, but much safer.

We are dealing with a new generation of malware, he said. Once it does its damage, you cannot undo it yourself.

"This is scary stuff," Krebs said. "People need to rethink how they protect their important files."

In a new article on his blog, Krebs recommends two tools that can block CryptoLocker infections: CryptoPrevent from Foolish IT for individual windows users and the CryptoLocker Prevention Kit from Third Tier for small business administrators.

—By CNBC contributor Herb Weisbaum. Follow him on Facebook and Twitter @TheConsumerman or visit The ConsumerMan website.

Contact Consumer

  • CNBC NEWSLETTERS

    Get the best of CNBC in your inbox

    › Learn More