I received a request to discuss the cryptolocker family of malware, and will be talking about that today. If there are any other topics that are requested to be covered, please leave a comment below or contact me. This form of malware falls generally under the ransomware category, which installs itself and then demands money for one reason or another in exchange for removal. Sometimes it is because it claims you have violated the law, and it is a fine to remove it. In this case, it instead encrypts data off of your hard drive using a public-key cryptographic setup that appears to be well designed, and at least appears to legitimately offer a hope for decryption if it is paid.

Encryption is Hard™, and it is the mistakes in designing cryptographic software that is easier to break than the theory that is implemented. In this case, however, no obvious flaws have been found. This does not mean that I encourage payment of the ransom. Like all ransoms, you have no reason to trust whoever created the malware. Payment only encourages them to ask for more, and the key could be discarded as soon as the files are encrypted.

More realistically, if you see this malware appear on your system, you have two hopes. First, this is the “cheap” form, which will not actually encrypt your system but instead hide all your files and pretend to. Removing the malware will make your system function again. You can use your typical form of antivirus, or something like malwarebytes. Secondly, you of course have good backups, right? Many infestations come in large packages now, containing various malware to do different tasks such as keylogging or changing your DNS server to point you towards what they control for ad clicks or prevent you from obtaining software updates. When you discover malware on your system, at that point you do not know what else is wrong. A full system reinstall is the best solution, and the only way to guarantee things are fixed, assuming you also are sure your backups are clean as well.

Therefore, if you want to be sure about your security, be sure about your backups. For my system I use duplicity, and it ties in well with my previous instructions on personal encryption. I have it doing daily backups, which are incremental (so it only adds what is new from the previous day’s work), and then a full backup every week. My crontab and backup scripts are below:

# m h  dom mon dow   command
0 5 * * 2-7    /home/USER/.duplicity/duplicity_daily
0 5 * * 1    /home/USER/.duplicity/duplicity_weekly

#!/bin/sh
test -x $(which duplicity) || exit 0
$(which duplicity) --encrypt-key GPG_KEY --exclude /home/USER/.gvfs /home/USER file:///data/backups/USER

#!/bin/sh
test -x $(which duplicity) || exit 0
$(which duplicity) full --encrypt-key GPG_KEY --exclude /home/USER/.gvfs /home/<USER> file:///data/backups/USER
$(which duplicity) remove-all-but-n-full 3 --force file:///data/backups/USER

For each of the above, you would replace “<USER>” with your username, and “<GPG_KEY>” with your encryption public key.