APEX — The first thing Mark Wilson noticed was a drag on the computer system that he and five others used at his company.
Everything was just crawling, said Wilson, president and co-owner of Apex Cary Insurance.
Wilson called Raleigh-based Petronella Technology Group, which asked if he noticed anything like a ransom note.
Sure enough, Wilson found a pop-up on one of the monitors asking for $300 in exchange for a key that would unscramble all of the businesss files that it had encrypted.
Wilsons company had been hit by ransomware, which is a form of malware or malicious software that infects a computer and its connected systems, and then demands a payment. The attackers are likely criminal organizations based in Russia and Eastern Europe.
The companys digital files had been scrambled by CryptoLocker, a version of ransomware that first appeared in September. It has since infected about 25 million systems across the globe, about 70 percent of which are in the U.S. according to Keith Jarvis, senior security researcher with the Dell SecureWorks Counter Threat Unit.
CryptoLocker appears to be spreading through emails that lure victims into opening them, according to a November alert issues by the U.S. Department of Homeland Securitys Computer Emergency Readiness Team.
The CryptoLocker infections offer a glimpse into criminal organizations that work together, using the Internet to gain personal information in order to sell it or use it to steal from bank accounts.
Ransomware has been around for years, but untraceable and unregulated virtual currencies have fueled increasing attacks, according to a McAfee Labs report on 2014 threat predictions.
Defense options, the report and experts said, include not opening suspicious emails and keeping anti-virus software and patches current. An effective computer file backup structure will also minimize risk.
Dell researchers, Jarvis said, have observed the CryptoLocker being distributed through cyber criminals working together to mine personal data using different malware, such as botnets a network of infected machines that communicate with controlling cyber criminals.
Gameover ZeuS, one of the most notorious and sophisticated botnets involved in online banking fraud, is distributed by the Cutwail spam botnet, which used email attachments to lure users. After an attachment has been opened, Upatre malware downloads and then executes Gameover ZeuS, which brings in other malware families, including CryptoLocker.
Dell SecureWorks has seen variants of ZeuS go after small and medium businesses because they are usually less secure, said Elizabeth Clarke, a spokesperson for Dell SecureWorks.
CyrptoLocker victims should take an inventory of their files and have off-site backups available to recover infected data. Its easy to remove CryptoLocker, Jarvis said, but the machine could still be hosting Gameover ZeuS and other malware.
Everything on the machine is suspect, he said. Infected equipment should be taken to a professional, who can re-install the operating system from a clean source.
Paying the ransom
Craig Petronella, president of Petronella Technology Group, has seen three small businesses hit with the CryptoLocker since October, and each company has spent about $300 to save their data.
Petronella learned about CryptoLocker after Jerry Hall, who owns Total Systems Heating & Cooling in Spring Lake with his wife, Brenda, shared his concerns about a pop-up on his computer.
Petronella got into the Halls computer system and found instructions for making a payment. The pop-up also gave a deadline in which CryptoLocker would permanently encrypt all of the Halls files.
Its a ticking timer, Petronella said. And its counting down.
FBI spokesperson Jenny Shearer wrote in an email that they advise against paying the ransom. Jarvis and Clarke agreed, pointing out that people are funding criminal organizations.
Sometimes people have their back against the wall, and it is the data for their company for the last 10 years, Jarvis said.
The Halls used USB hard drives as a backup system, Petronella said, which were also infected by the CryptoLocker because they were connected to the companys server.
It wiped me out completely, Brenda Hall said. If I didnt pay the ransom, it would be thousands of dollars in reconstruction.
CryptoLocker requires Bitcoin or MoneyPak, both untraceable forms of digital currency that can be obtained at major retailers.
Petronella paid the ransom with a $300 MoneyPak card he had purchased on behalf of the Halls.
Within about 20 hours, the hacker group sent the key to start the decryption process. The following day, Petronella found a note indicating the anti-virus program deleted the malware and stopped the decryption process.
We thought we were going to have to pay again, he said.
They later received instructions on how to re-download the virus from the Ukraine to continue the process, which they did.
Petronella reported the incident to the FBI, which is recommended, researched the virus, and sent a note to his clients recommending changes and caution.
Wilson remembers reading that email and thinking, Yeah right. Sure. That happens to who? Not me.
Just over a week later, Apex Cary Insurance was hit with CryptoLocker.
Wilson and his team talked for about two hours about whether they should pay the ransom. But there was too much to lose, including 10 years of documentation, he said, some of which was required to be kept by the state.
After losing more than a days worth of work, Wilson decided he needed to get back to his business.
The quickest, easiest way to handle this was to pay, he said.
Bridges: 919-829-8917; Twitter: @virginiabridges