Debunking email hoaxes and exposing Internet scams since 2003!

Hoax-Slayer Logo Hoax-Slayer Logo

DividerDivider
Home    About    New Articles    RSS Feed    Subscriptions    Contact
DividerDivider
Bookmark and Share





'Really Bad Virus' Warning

Outline
Circulating social media message warns users about a "really bad virus" that can encrypt your entire computer and show a message demanding that you send $300 to a specified address.

Encrypted vector badge

© Depositphotos.com/ Len Neighbors



Brief Analysis
The message apparently attempts to describe a CryptoLocker Ransomware infection. The core claims in the message are valid. However, the warning lacks clarity and does not provide enough information to help people avoid a CryptoLocker infection or effectively deal with one.  In fact, it does not even name the threat. The message's value as a warning is therefore significantly diminished. More information and links to reputable resources about the threat are included in the detailed analysis below.

Bookmark and Share
Example

Hey this is a warning BE CAREFUL ANF BACK UP YOUR COMPUTER. There is  a really bad virus out there now that infects though e-mail with or without attachments!!! It slowly encrypts your entire computer with a 200 something bit encryption and then after its done its shows msg on your screen that says to send $300 to an address. Don't try to kill the virus as it will only make it worse. Can cause physical damage!!!

you have to wipe drive and start new. sorry for bad news


Detailed Analysis


This circulating social media post warns users about a "really bad virus" that can "encrypt your entire computer" before displaying a message demanding that you send $300 to a specified address. It further warns that trying to kill the virus will only make the infection worse and can cause physical damage. It advises that, if infected, you will need to wipe your hard drive and start over.   

The message is apparently attempting to warn users about a CryptoLocker ransomware infection. CryptoLocker ransomware can indeed encrypt files on the infected computer and will demand that users pay between $100 and $300 to have the files released. 

The introduction to a comprehensive guide to CryptoLocker published on BleepingComputer.com explains:
CryptoLocker is a ransomware program that was released around the beginning of September 2013. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 96 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.

The malware is generally spread via email attachments in seemingly legitimate emails that claim to be from high profile companies such as FedEx or UPS.
 
There is currently no way of decrypting the locked files other than to pay the required ransom. And, if users do not pay up within the specified time, the decryption key, which is stored on the criminal's server, will be destroyed and your files will likely remain forever locked.

If you have uninfected backups, you may be able to remove the infection and restore your files. However, depending on how your backup system is configured, it is possible that the malware may have also infected your backup files.

Thus, Cryptolocker is a significant threat and computer users would certainly be wise to make themselves aware of it.

However, the above message actually does a rather dismal job of educating users about the threat and telling them what to do about it should their computers become infected.

The warning does not even name the threat, nor does it describe in any meaningful way how the ransomware is distributed.  And, the malware does not encrypt the entire computer as claimed in the mesaage, but rather locks up certain types of files. Computers with the infection are still operable.

The warning does not link to any expert advisories on the topic that would provide recipients with further information. And, the rather cryptic claim that the malware can "cause physical damage" is misleading. If victims do not pay, they may never recover their files, but there is no suggestion that the infection will physically damage the computer's hardware.  Moreover, while users may not regain access to the encrypted files, the malware itself can be removed without "wiping the hard drive".

Thus, although the message's creator probably had good intentions, its value and validity as a warning about CryptoLocker is greatly eroded. If you wish to ensure that your friends are aware of the very real threat posed by Cryptolocker, it would be better to send them a link to a reliable and regularly updated article such as that provided by BleepingComputer rather than pass on the above - rather garbled and ineffective - message.

Bookmark and Share

Last updated: October 30, 2013
First published: October 30, 2013
Research: Joshua Brunson and Brett Christensen
By Brett M. Christensen
About Hoax-Slayer

References
Cryptolocker Ransomware: What You Need To Know
CryptoLocker Ransomware Information Guide and FAQ