Yesterday I was helping a customer to transfer some data from an old computer to a new one when I had a sudden shock. Some of the files had been encrypted by an infamous piece of ransomware called CryptoLocker. I immediately stopped what I was doing and started examining the old computer to see if the malicious software was still operating. If CryptoLocker was still active then it would be extremely important to kill it off straight away to prevent it from causing any more damage, but luckily it was no longer running. The pressure was off, so I started trawling through the data to see how many files had been affected. Thankfully most files had not been touched, but quite a few important documents and images had been encrypted.
The encrypted files were all dated 25th May 2015, so the damage had been done several years ago rather than recently. Each folder containing encrypted files also contained a plain text file demanding a ransom to be paid in ‘bitcoins’, but the deadline for payment was long gone, and even if there had still been time, I would have advised my customer not to pay. The backups that existed were no use, as they were simply copies of the encrypted files, and the chances of decrypting the affected files without the keys were almost zero. Effectively, all the files that had been encrypted were lost.
I asked the customer if she’d ever received an e-mail ‘ransom note’, because the criminals behind the malicious software would certainly have made an explicit threat, not just assumed that the victim would find a threatening ‘READ ME’ file somewhere amongst their files. It turned out that the customer always printed out every e-mail received, and kept them forever, so she looked through the pile and sure enough, there under ‘25th May 2015’ was a threatening e-mail that she had assumed was just an empty threat, even though it was real.
If you ever receive a threatening e-mail saying that some of your files have been encrypted, the best thing to do is shut down your computer straight away to prevent any further potential damage from being done. The next thing to do is start up the computer using a Linux live CD, DVD, or USB flash drive, and see how many of your files have been affected. If the threat is a hoax and your files have not actually been encrypted, you can breathe a sigh of relief. However, if some or all of your files have been encrypted, you will need to recover the unencrypted versions from your regular backups. The problem is that ransomware often does its worst then waits for a long time before issuing a threat, in the hope that you’ll have created your usual backups by that time, and they’ll all be encrypted too.