CryptoLocker Infections: How Are You Preparing?

If you haven’t heard of CryptoLocker yet and taken action to protect your systems, then you are most definitely flirting with disaster. And not the kind of disaster that causes your server to crash for a few hours or requires you to pay someone to remove a virus. We are talking about the kind of destructive malware that can wipe out years of data and shut down a business.  We first wrote about CryptoLocker in a post from September 12th (Read The Severe Threat of Crypto Ransomware as a primer), but in retrospect it doesn’t seem that we are sounding this alarm loud enough because we continue to get almost daily calls reporting new infections. Whether you are concerned about your data or think we may be overreacting, I invite you to read on and learn a little more about the threat and what actions you need to take immediately (as in, yesterday) to get ahead of it.

What You Need to Know:

  1. CryptoLocker is primarily delivered via e-mail as a malicious attachment or link from a legitimate-looking business e-mail. These can be very convincing.
  2. It encrypts all documents on your local machine along with any attached storage devices or (most importantly) mapped drives, which allows it to easily wreak havoc on a business network.
  3. It will demand a ransom of $300 or more to unencrypt the files and a time window of 72 hours.
  4. There is NO WAY to recover the files unless you have a backup of them that pre-dates the infection or are willing to take the risk of paying the ransom (which does not always work).
Think you are safe? Here’s a couple common responses we’ve heard.

“I’ve got a spam filter, I’ll be OK”

The CryptoLocker delivery messages are very well crafted in some cases, skirting around spam filters. We’ve also seen at least two cases where it was caught by the filter, but a user was so convinced by the message, they knowingly released it from quarantine and opened the attachment anyway.

“My systems are really locked down, I’ll be OK”

CryptoLocker doesn’t need to “install” anything. It doesn’t need admin privileges. It doesn’t need to elevate itself in any way. Any file your users have write-access to is vulnerable and it is going to take some really aggressive policies to prevent it from doing damage. If your users can launch a GoToMeeting session right now on their computers, they probably have all the rights they need to get CryptoLocker running.

“I use ______ as my antivirus program and it’s the best, I’ll be OK”

Trend? Symantec? McAfee? Kaspersky? Panda? We’ve seen almost every major vendor fail to catch CL at some point. CryptoLocker is changing constantly – it would seem that any time the detection rate climbs above 10%, a new variant is released and you are back to a very small chance of detecting it. Antivirus is still a key component to protecting your systems, but it certainly shouldn’t be the only one.

“We backup our data every day, I’ll be OK”

Backup is definitely the key recovery, but not all backups are created equal. If you aren’t keeping 5 days worth of backup at a bare minimum, you can kiss your chance of recovery goodbye. CryptoLocker is very sneaky – it will usually start silently encrypting files around 4 or 5 PM and could run for several days before you either notice some of your files can’t be opened or the CryptoLocker payment screen finally comes up. That means your backups during that time period are toast. If you have a decent amount of data (>10 GB or so) and are only storing your data off-site with no local backup, be prepared for a lengthy recovery waiting for all of those files to download. And if you aren’t testing your backup regularly, you really don’t have a true backup at all.

“I’m sure my IT guy/company can fix it, he/she/they are really smart, so I’ll be OK”

This is a smartly designed application that implements very real and very secure encryption. Files are encrypted with AES-256 keys which are then encrypted with a unique public RSA key. Decryption without the exact corresponding private RSA key is impossible. Some very reputable security firms have poked around at it, but all of them have come to the same conclusion.

“I can afford to pay a $300 ransom, I’ll be OK”

There is absolutely no guarantee you’ll be getting anything back from your $300, or that the ransom will still be $300. We’ve seen it not work at all, or only work after multiple attempts (at $300 a pop). In a few cases we worked on, two users had both opened CryptoLocker attachments and the files were effectively “double encrypted”. In other cases, the computer that caught the infection had been “cleaned” before I.T. had a chance to quarantine it. The cleaning process removed the virus, but also the pair of decryption keys required to unlock the files that was stored on the computer.

What You Should DO:

  1. Review Your Backups – Take a good, long look at your backup strategy. Check with your I.T. provider or the backup vendor. Leave no doubt in your mind that you are retaining at least a few days worth of backups, storing the backups securely away from your production systems, and that the backups are always functioning properly. Test a recovery – pretend you just lost all of the files on your server, what would you do? How long would it take to get the files back? We recommend a robust BUDR program like IT/365 Business Continuity that has advanced self-testing mechanisms built-in and can recover large amounts of data in a matter of minutes.
  2. Review Your Security – Updated AV and properly tuned spam filters are the bare minimum. Restrict user rights and implement software restriction policies to block execution of files from unauthorized locations. Create and tune SPF records to block unauthorized senders from using your domain to spoof addresses.
  3. Educate Your Users – CryptoLocker can’t do anything if your users don’t let it. Make sure everyone knows the dangers of e-mail attachments. Encourage them to be suspicious of unexpected messages that have attachments. Train them on how to react if they think they are infected.
If you aren’t 100% confident in the steps you’ve taken so far, I would encourage you to reach out to our team for guidance. We’d much rather work with now than after an infection has occurred.

Comments