Cryptolocker: A New Era of Ransomware

Paul MorganBlog


ransomwareA particularly nasty new “ransomware” virus has started to appear on the radar of security companies at the end of mid-September. Cryptolocker, as it was later coined, amazed security experts with the innovative way it extorts money from the targets that it infects using unbreakable, industry standard file encryption.

What does it do?

When infected, Cryptolocker causes your machine to silently encrypt any/all Office and media files that the user has access to (including those on shared drives) using a cryptographically secure passkey that is never stored on your machine. When complete, Cryptolocker presents a screen notifying you that you have 72 hours to pay a ransom or the passkey (and by extension, your files) will be destroyed permanently. The ransom is paid using an anonymous electronic cash equivalent known as Bitcoin, and ranges from 2-10 Bitcoins depending on the version you were infected with. At the time of writing, 1 Bitcoin can be purchased for approximately 1100 USD.

This places the infected user in an extremely bad position: if they did not have the files that were infected backed up in a proper way, they can pay the ransom (and hope that the criminals stick to their word to decrypt) or lose their files. Obviously, this is a disaster scenario for any business, and there are countless stories of unprepared businesses who have had to “pay and pray” that Cryptolocker will allow them to retrieve their livelihood. Even worse is the fact that from an individual perspective, paying 2500-10000 dollars to regain access to your business files may be a smart business decision: the authors of Cryptolocker are likely collecting tens, if not hundreds of millions of dollars, which only serves as incentive for this to continue.

How do I get infected?

The largest quantity of infections from Cryptolocker appear to be coming in the form of executable attachments to “phishing” emails. For example: an email appearing to come from Paypal would be sent to you claiming that you have authorized a purchase transaction for $200. A “receipt” would be attached to this email containing a ZIP file with an executable misleadingly named to appear to be a PDF. Once opened, the encryption process begins without fanfare.

It is also possible for Cryptolocker to be installed using typical remote software exploitation (where no user interaction is necessary).

How do I protect myself?

Once infected, there is no way to reverse the encryption process. Ultimately, the way to protect yourself from Cryptolocker is to either never get infected or make sure that you can restore backups of files if you do get infected.

  1. Keep your computers patches with OS and application security updates.  Most ransomware infects system using security exploits found in Microsoft Windows or 3rd party applications such as Java, Flash, Adobe Reader, etc.
  2. Use a comprehensive Anti-malware solution.  At Diligex, we use a combination at WebRoot SecureAnywhere and MalwareBytes Enterprise.
  3.  Remove ‘admin rights’ from your user account.  Most ransomware installs software on your computer.  If your logged in user account doesn’t have admin rights, the ransomware likely will not be able to execute.
  4. Be diligent when opening email attachments and clicking on links within an email.  Under no circumstances is it acceptable to open, preview, copy, or move an unsolicited email attachment or click on any link sent to you in an unsolicited email. If a message is suspicious, validate its authenticity by following up with the company in question (e.g. if you bank sends you a suspicious “receipt”, call the bank instead of opening the email or clicking on the provided hyperlinks). If you are unsure, please consult with an IT Professional.
  5. Backups, backups, backups! If Cryptolocker does infect your computer, having a good backup will negate the requirement to pay the ransom or pay someone to try and decrypt your files.  It’s important to note that backups need to be SECURE.  An external hard drive attached to your computer is likely NOT an acceptable backup method.  Ransomware is smart enough to scan for external drives and encrypt them as well.
  6. If you receive a Cryptolocker notification, immediately shut down your computer and contact an IT Processional for assistance. Encrypting files can take a significant amount of time: you may be able to prevent a significant portion of the damage by not allowing the machine to finish the encryption process.
  7. Review and develop your security practices and ensure that everybody is trained in these practices. Cryptolocker does not care if you are an entry-level analyst or the CEO: if you use a computer, your actions can put your company at risk.

If you have any additional questions or wish to make sure that your business is protected against a Cryptolocker attack, contact us anytime.  We’re here to help.