Ransomware: Holding Users’ Files Hostage

By Jeffrey Thompson, Epoch Times
January 25, 2014 Updated: April 24, 2016

As if ordinary viruses were not bad enough, hostageware is a relatively new form of virus that does exactly as the names implies—holds the user’s data hostage until a ransom is paid.

The best known hostageware is called Crypto Locker, which was released in the early part of September 2013.  

There are several different variants of Crypto Locker currently in the wild.

Crypto Locker encrypts the data on a user’s computer, then provides terms on how much to pay, when the payment terms will expire, and to whom to address the payment.

As reported by Bleeping Computer, Crypto Locker will ask for anywhere between $100 and $300; users will have 4 days to pay for the key that would be used to unlock their data, or else the data will be erased. The ransomware leaves users with files that, when opened, show gibberish or just display a “file is corrupted” message. 

The site goes on to say that Crypto Locker will attempt to hijack the computer’s executable (.exe) files in an attempt to remove any shadow copies that might be present.

A shadow copy is a copy of a file that has been saved after the shadow copy feature in Windows has been enabled. It is a sort of backup copy of the last version of a file before it has been modified.

There is no way to decrypt these files other than by paying the ransom note.  Users have reported  that even after paying the ransom, some files were still unrecoverable.

Crypto Locker is known to encrypt network drives that are mapped to a drive letter, but not those that are connected using the universal naming convention (UNC), “\ComputerNameShareName.” 

There have been instances in which a company’s network share has been encrypted because a user’s computer was compromised and the user had a mapped network drive.

Windows 7 and 8 have a feature called Add Network Location, which uses the UNC name instead of mapping a network share to a drive letter.

The most common way for this virus to spread is through USB or externally connected drives, email attachments, and weblinks.

The best way to protect against viruses is to have an up-to-date computer with an active antivirus scanning utility running at all times.