Greetings Forum.......just a timely warning about Cryptolocker.
Cryptolocker is a virus that encrypts your files. It will encrypt all Microsoft files including jpegs. My business computer was hit this week. The virus came in on an Australia Post email which informed us that a parcel sent via Australia Post could not be delivered to the destination and that a holding fee was being charged on a daily basis until the posted item was retrieved.

It then invited you to click on a tab to retrieve the information required to claim the item and negate the holding fee. Once you clicked on the tab to get the number of the transaction the virus is downloaded. The virus immediately encrypted the files and none of them could be accessed. Then a ransom demand is inserted into all your files. The demand is blatant, they inform you that all your files are encrypted and they have the only decryption code and any attempt to decrypt would be useless. They also ask for payment within a time period or the ransom amount goes up, and finally they state that all your files will be destroyed if both time periods elapse.

Upon further investigation I found that the only way to retrieve the files is to pay the fee. I paid over $800 in Bitcoin to retrieve my files and true to the threat and reward I was allowed access to their site and downloaded the decryption file. All my files are back to normal and I will back up my files daily so I do not have to pay them again.

Be warned that the encryption virus is also transmitted via other recognised entities such as Telstra and Energy companies.............hope this saves you the grief.

I use a few programs that possible may have stopped this happening to you.

http://www.sandboxie.com/ you open you emails and browser in this program after you close it everything is gone (you can go to its folder and get out things you want to keep) This program has a few minor faults but for the average person it is better than antivirus alone.

http://www.shadowdefender.com/ this one is a bit more specialized you activate it tell it what drives to protect when you restart your computer any changes made to the drives protected will revert back to how they were before you activated the program.

still testing other one, what it does it you get a pop up message if something new wants to start you need to be a little computer savvy to know what to do, but if you were looking at an email and a program wanted to start up that would be suspect and you click no.

Give the sites a read see what you think.

Thanks Philip...........I will have a look at the sites you suggest.

Sonofgloin, that virus attacked our work computers this past week, causing chaos!
Luckily for me, our IT department warned me before I opened the bogus Australian post email.
My colleagues lost much of their work after they opened the email.

Suse, I paid the ransom but was not granted access to their website for three days, I thought I had lost the money as well. But on the fourth day I could access the buggers web site and down loaded the decryption.

Don't assume it's all over - it's a pretty safe bet that they left a Trojan horse or two on your computer. You may perhaps not detect any problem again, but your friends and family could well later receive the same from your computer without your knowledge.

You should now save aside your recovered personal files, then re-format your disk and re-install an operating-system and all other executables before copying back your personal files.

- and of course, there should be the death-penalty to the perpetrators, if ever caught, a painful death that is, so that nobody else would try this ever again.

Thanks for the heads up and sorry to hear you got squeezed.
I'm getting sick and tired of computers.
We spend money on them and they are supposed to work for us.
But they end up doing a job ON US on behalf of others.

I don't remember being paid by anyone.

Why would you purchase something that works against you?

Google alright.. Googling into my affairs...
Mind your own business the whole lot of you.
Fed up with it.

Yuyutsu, in reading the blogs from others so effected it seems that there is no surprise left in the system, but who can be sure?

What I did note is that my entire email log had been accessed and the same virus sent to some of my contacts directly after I paid the ransom. So I put together a form letter and sent it to all my contacts and this prompted me to inform my other contacts such as OLO.

Armchair I hear your thoughts, but the same could be said of the monetary system.............but how do we live without it.

I presume that this crypto program only works on windows.
I suggest if you have become a victim they may come back again.
I suggest that you look into using Linux.
The permissions system means that every file has an owner and a group.
A program such as crypto loaded can only access files with your permissions.
So if you use a different username for emails etc everything else is
protected. The username is different to the email users name.
In any case if it is written for windows it won't work on Linux.
There are viruses that have been written for Linux systems, but they are rare.
It would be a nuisance using a different username but it would stop
that sort of thing. Files for other users are protected.
You can set the file permissions for other users of the group to be read only.
I believe this is why Linux is used for many web sites.

It is a bit of a nuisance if you want to access other files on your
m/c but I think you can get around that by allocating them all to
your particulat group.

I have never had a virus in the last ten years that I have used Linux
and I only run the protection that comes with the operating system.

As far as I know Aus Post does not send emails, they just leave a card.

In any case, THINK BEFORE YOU CLICK is the best policy !

sonofgloin
Do you still have the website/url or whatever you used to get your decrypt code.
Some of my staff are pretty good a hacking pedo sites and the might be able to get into this one.

Many thanks for your timely advice SONOFGLOIN, as a rank amateur with all things 'computer' I'm the sort of poor bugger silly enough to stumble unwittingly into this sort of subterfuge.

Hi there CHRISGAFF1000...

That's mighty decent of you ol' mate, to offer to use your resources to, disrupt or interfere with these bastards and their troublesome activities. If only you could apprehend the principle behind all this stuff, I'd dearly enjoy doing a 'Mexican hat dance' on their friggin' face ?

Dear SOG,

Thank You for the warning.
It's much appreciated.

I've got one rule as far as my computer goes.
I never click onto anything I don't recognise
as knowing. I simply delete it. It's worked so far
for me.

One question though - don't you have any security
on your computer that would warn you of anything
suss?

Foxy there are a number of programs that accumulate such web sites but
they are always behind the badies in time.

I normally get my Telsstra bill by email and pay it on line.
One day I got an email to say I was in arrears and had sent the wrong amount.
They attached the bill which was a higher amount by a few dollars.
I was almost convinced, but kept looking down the bill and at the
bottom is said Telstra is a Trademark of Bigpond Corporation.
I was then certain it was a phurfy !
Except for that one line it looked just like the real thing.
They gave a button to click which had a different url to Telstra.
That is the sort of thing that leads to the crypto or other fiddles.

In that sort of thing NEVER use the supplied button, url link but
always look up the genuine one that you normally have used in the past

What worried me was that they had my Telstra account number and phone number on the "bill" !

Bazz
Looks like you have a Trojan keylogger lurking somewhere in your system. My advice; reload your o/s.

Surely that is a criminal offence.
And you have their presumably traceable payment details, so give that to the police.

People are always sending bogus dodgy emails allegedly from reputable companies.
The giveaway is usually the return email address, which doesn't match the company (e.g. a "Paypal" notice from "humtrextiy.com").
Look before you click.

Chrissgaff, the following is part of the details required to pay the ransom demand.

>>
[=] What should I do next?

You should visit our website (http://6o4xqbd4cpmumytk.torprovider.su/ho2dkb0.php?user_code=ckh9w0&user_pass=5127)
and buy decryption for your PC.

[=] I can not access to your website, what should I do?

Our website should be accessible from one of these links:
http://6o4xqbd4cpmumytk.torprovider.su/ho2dkb0.php?user_code=ckh9w0&user_pass=5127
http://6o4xqbd4cpmumytk.onion.to/ho2dkb0.php?user_code=ckh9w0&user_pass=5127
http://ergdzsjgpvsc5rvj.onion.city/ho2dkb0.php?user_code=ckh9w0&user_pass=5127

http://6o4xqbd4cpmumytk.onion/ho2dkb0.php?user_code=ckh9w0&user_pass=5127 (using TOR browser)

If for any reasons these addresses are not available please follow the steps:
1. Download and install TOR-browser:
http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser and wait for
initialization.
3. Type in the address bar:
http://6o4xqbd4cpmumytk.onion/ho2dkb0.php?user_code=ckh9w0&user_pass=5127
4. Access to our website

Also you can contact us via email: decrypthelp@mail15.com<<

Shockadelic we paid in bitcoin, its like Paypal but the receivers details are encypted, even bitcoin can not trace them. Transfer sites like this are used to pay for all sorts of illegal stuff.

Foxy>> One question though - don't you have any security
on your computer that would warn you of anything
suss?<<

Hi Foxy.yes we have security but the email did not trigger a warning from our virus alert, further the email had all the Australia Post logo's and even ads for other products that Aust Post provide. The email tells you that a parcel was not delivered and to click on a tab to get the relevant number to retrieve it, soon as you do that you are gone......thanks Foxy.

Chrissgaff, not likely to be a resident keylogger.
I never enter the Telstra account number as I do a transfer from
Netbank and it holds the account numbers for the transfers that I do.
I passed the details onto the scam site.

I notice the websites that Sonofgloin are for the tor system so they
are to all intents untraceable. You data eneters the site and gets
scrambled and comes out out of order from other data and you can't
ascertain which was your data.

They just copy a real page and change the url for your reply.
If in doubt right click on the button they give and look to see if the
url is the genuine one. They sometimes use a very similar url with
just a minor change.

sonofgloin,
Unfortunately most of the links you give either lead to a US based federal blocking agency or a
round robin jump pathway that eventually links back to itself and therefore leave you out of the loop.
These people are very well organized and capable operating out of Zabolot (Belarus} and
basically out of reach of international legal reach.
Unfortunately this is the same area where most child porn emanates from.
We can track the players at this end through local servers and relay points and link
banking to them but we cannot track the emanating source feed servers.
CG

"It then invited you to click on a tab to retrieve the information required to claim the item and negate the holding fee."

Never click on a hyperlink in an email without first looking in your status bar to check what address the hyperlink goes to. If you don't immediately recognise the domain name, hit the "this message is spam" button without hesitation.

PaulMurrayCbr,
I would prefer to scan the javascript page structure and then track the source via one of the whearis programs.

Hi CHRISGAFF1000...

Listening quietly while you computer erudite gentleman, musing over the best way to defeat these disgusting computer crims., makes me realise how deficient and inadequate I am, on all this communicative/ researching technology ? Bring back the old 'Remington' manual typewriter, situated squarely on the charge counter, where we all knew where we were ?

o sung wu,
While we are on the "bring back" platform I recommend the S&W M10 as a suitable deterrent to these cyber thugs.
CG

G'day there CHRISGAFF1000...

For sure, though why not go the whole hog and bring in the 'Big Daddy' of 'em all, the S & W Mod. 29 in .44 magnum ! That might help the bastards review their negative attitude ? That said, I admire your superior computer skills, I have enough trouble 'signing on' sometimes ?

o sung wu,
I still sub out to the "Job" as a 'consultant' doing pedo hard drive

scans via border protection. Keeps me busy and I catch a few
fish now and then although the 'beaks' ruin the effort with their petty handouts.
I can't believe that a lot of these matters are dealt with
by 'deal' in the lower jurisdictions rather than a high jump hand up brief.
CG

G'day CHRISGAFF1000...

Yeah mate, I reckon DPP are pathetic, instead of seeking equitable justice, they keep their eye on the dollar, and the exorbitant cost per diem of retaining a decent silk to successfully prosecute, in higher jurisdictions ? Do you reckon we're starting to follow the US version, of 'plea bargain' thus leaving the judiciary high and dry ?

You sound like you're on a good thing 'subbing out' to the job ? I'll not yield to my curiosity by asking what 'pedo' hard drive scans for Border Protection entail ? You're on a bit of a winner though.

I don't believe I could offer the job anything of use, despite the number of years I put in ?

I saw a piece in an old copy of the NSWPOL Assoc. News, proposing the placing of retired members in certain key office roles ? Still I'm not sure if it'd appeal to me, too old and too cranky ?

Stay well.