New Variant on Cryptolocker Virus

Monday 10 November 2014, 2:33PM


There is a new variant on the Cryptolocker virus, or ransomware, hitting computer networks as we speak.

This variant was first detected on 5 October and we have just been made aware of a site infected with it this morning. The virus is new enough that the site’s antivirus software did not pick it up on entry. But the virus was picked up as it detected the files encrypting on the file share. Over 1000 files were affected and they had to be deleted and reinstated from backup.

This is your typical “ransomware” virus. It encrypts not only the computer that it comes in on but it attacks the network and encrypts any shared files on servers as well.

When this virus attacks your computer, if you try and access the encrypted files you get a message saying they are encrypted. The message says if you want to un-encrypt them then you need to follow the following instructions, ie pay the person that has sent you the virus.

So what do you need to know to stop this happening to you?

When receiving attachments that appear to be an Office document, be wary of those with the suffixes “.doc”, “.xls”, and “.ppt”. This is the older Microsoft document format, a proprietary binary format in which malicious code or macros can be embedded. It is the key reason that, from Office 2007 onwards, Microsoft moved to a secure format that appends an “x” to the file suffix e.g. “.xlsx”, “.docx”, “.pptx”. If the document contains macros, it will have an “m” instead of an “x” e.g. “.xlsm”. Be wary of opening documents from an unknown source with macros. Unless you have verified the source, do not open them!

Most mail clients (like Outlook) have the ability to preview an attachment. In the case of a “.doc”, or “.xls” file, do not even select the attachment unless you are sure of its source. Chances are the previewer could trigger the virus or malware payload.

Also, you might come across attachments that are named “filename.xlsx.exe” or “filename.pdf.exe” – do NOT select the file, just delete the email.

The antivirus software companies will be updating their software to counteract this new variant. So as always, we encourage you to have up-to-date antivirus and anti-malware. If you have not updated your antivirus software, now might be a good time to do so. We also advise you to be careful of opening attachments. Good security starts at the keyboard (and mouse).

Most people that get trapped by these things are expecting a file from someone in particular. One of our clients, for instance, was expecting a package from FedEx, so when they got an email from "FedEx" they opened it.

Finally, as a good proactive measure, make sure you have a good backup system. If things do go pear-shaped then your IT company can often recover the effected files from backup. Our backup software of choice is ShadowProtect. With ShadowProtect we have been able to recover entire servers within four hours from start to finish. (To read a case study, go to

If anyone in your organisation opens a dodgy file, they should turn off the computer immediately, unplug it from the network and call for help.