Virus: Crypto-locker removal and repair

Recovering from a crypto-lock  virus attack on a single computer can be painful and a chore but when a virus hits your local network fast action is required. The Crypto-locker virus and variants are back, and in the wild right now.

Most people don’t open dodgy emails and run at least some virus protection.  Unfortunately the emails don’t always look dodgy.

cryptolocker virus
Look closely at the sender

After the crypto-locker virus is installed

The computer is then locked and you can not login.  All files are either encrypted or are simply destroyed.  There are a number of variants and not all of them allow file recovery even if you do pay the ransom.


What do to do if you see this on a computer on your network.

  • Disconnect the computer from the network immediately.
  • If you have a backup disk attached to this computer or your server disconnect it
  • On your server revoke permissions for the user that the computer belonged to to write any files to the server.

Accessing the damage caused by crypto-locker or crypto-locker variant

Locker viruses work ‘best’ on Windows Servers.  All crypto-lock variants I have seen follow mapped drives to the server and propagate across the network destroying files and spreading the virus as it goes. Your server runs Linux and the server itself can not be infected by these viruses.

If you have a Windows server there will be considerable damage. The server  may well be infected and this is the place to recover first.

Do you need anything on this machine?

The fastest and safest thing to do is to wipe the machine and reload your operating system ( windows 7 or 10 ) If you had Windows XP then now is the time to upgrade and then recover from backup.

Recovery of a system infected by crypto-locker or varient

The recovery process is not easy and unless you must have access to the machine to recover data then a clean install is the best way.

There is a lot of information on the Web but they all require considerable effort and expertise to do.  This site has a good breakdown of the steps to recovery.

Yopui Server protection

Your server works quietly in the background appearing to do very little. This is how it is supposed to look . In reality there is a lot going on to protect your server and connected computers from harm.

Firewall protection

Your server uses a live firewall. It  blocks and unblocks threats as they appear. The firewall blocks hundreds of attacks a day on all parts of the server including email, web and VPN.

Email protection

The server is protected by the  absolute best  gateway mail anti-virus scanner. ClamAV is an opensource system which is used by the vast majority of mail gateways  and is consistently independently rated as the top gateway antivirus solution.

Most of these viruses arrive in what looks like a PDF file which is zipped up. Your server has strong cloud based protection against viruses in attachments and most are deleted or rejected before they hit your inbox.   This is continuously updated to match attack signatures

Thousands of SPAM messages a day that are loaded with viruses.
SPAM protection is also cloud based with real time database updates of known spammers and highly configurable SPAM thresholds.

File protection

All files on the server are scanned daily and viruses are removed and quarantined automatically using the same enterprise level virus scanning as the mail system.

Web protection

If configured to all traffic to and from the web is sent through the proxy server. This means that your computer never directly accesses the web. Dangerous sites are blocked at this level.

Workstation Protection

No system is perfect so having desktop antivirus  is essential.  Desktop protection will scan local files on your computer which are not controlled by the server directly

  • USB sticks
  • External hard drives
  • POP mail accounts in Outlook not running through the mail server*
  • Drop box and web shares**
  • Downloaded programs and images you chose to download

We are currently advising Bitdefender Free as the starting point.

The paid version is cloud based and  has very good cloud based tools to disinfect computers remotely and securely.

Crypto-locker and all viruses are bad. It is a continuous game of catchup.  The people who write the viruses constantly come up with new ways to defeat even the best and most secure systems.

In the event a virus does get through the network protection and infects your machine please let us know as soon as possible so that it can be eradicated!

If your systems are infected or you suspect that a Virus is on the network and you can’t find it. Contact us..

 * External POP accounts  are generally a bad idea as this bypasses much of the virus protection on the network.  External POP can be blocked by a business owner and if yours has been that is why
These files  come directly from an outside source and the server will not be able to scan them as they go through. There is absolutly no need to use dropbox in a Yopui network as it allows large file sharing with a small  addon application