CryptoLocker Questions

If there is one thing we all learn about security, it is that criminals never rest. The most recent development in the realm of malware is a type called ransomware. Ransomware is malicious software designed to hold a user’s computer and/or files hostage until the user pays a non-negotiable fee.
The first known ransomware attack was in September of 2013 with a variant called CryptoLocker. Since then more variants of ransomware have been found with names such as CryptoLocker 2.0, CryptoWall, CryptoWall 3.0, WinLocker, VirLock, TorrentLocker, Poshcoder, BitCrypt, CryptoDefense, VaultCrypt, TeslaCrypt, and Kriptovor. This list is not even exhaustive; there are more being developed by the day.
With this kind of spread over the last two years an entire economy has been created around ransomware, all based on just 0.3% of the victims paying the ransom. Some researchers, of as August 2015, estimate that there are upwards of 30,000 ransomware infections per day around the world. To put that in perspective, that is one infection every three seconds.
Since this malware has become a force of nature, we felt it was time to answer some of the more common questions surrounding this ransomware.

What is the most common way people get infected with ransomware?

This is a tough question to answer, because there are many ways to become infected. In the case of most Crypto-variants we see today it is through a user receiving an attachment in a .zip file that seems important so the user opens it. Inside is a file that looks as if it is a PDF document or some other document format. Once it is “opened” nothing will show visibly for the user, but the ransomware has already begun encrypting files.

Are there other means of infection?

Yes! Other ransomware variants have started spreading through infected websites. These infected websites target exploits in web browsers or browser plugins. As scary as this is, if a user does not keep their browser and plugins up-to-date then that user can easily become infected with no intervention. This is called a drive-by infection.
Researchers have also found ransomware trojans in certain “Windows Activators” or other activators that cycle around with pirated software.

What is the difference in CyptoLocker and CryptoLocker 2.0?

Most of the infrastructure that the original CryptoLocker relied upon has been shut down. CryptoLocker 2.0 soon emerged after the takedowns. CryptoLocker 2.0 attacks a wider variety of files, now including MP3, MP4, JPG, PNG, and MPG. It is also authored by the same people that made the original CryptoLocker.

How can I prevent CryptoLocker?

The best way to prevent CryptoLocker is to avoid it at all costs. Keeping one’s system up-to-date with the most recent patches, latest software, and browser plugins is a good start. Also, if there are any browser plugins a user finds they no longer use on a daily basis, they can be removed or disabled to decrease the points of attack. Java is a common browser plugin that is often attacked and is used less often on today’s Internet, so it is a good candidate for removal. If it is required for a website a user can always reinstall or re-enable it.
A good, well-trusted antivirus with real-time detection can help, but should not be one’s main line of defense. Due to the nature of ransomware, once an antivirus solution detects it running it is often already too late and removal can be even more detremental. A good antivirus solution needs to utilize real-time protection to prevent it from running in the first place. (Disclosure: Our own IT/365 AV Defender–part of any one of our IT/365 Managed Services plans–does this.)
A user can also install CryptoPrevent. Use this utility with caution, because one method by which CryptoPrevent blocks a ransomware attack is to stop programs from executing out of the AppData folder. So this option may break some software like Dropbox, OneDrive, Skype, or Chrome in their default install configurations.

Is there anything else I can do to protect myself?

Yes! There are always more things one can do to protect themselves. Instead of using an Administrator profile in Windows for daily work, switch to a User/Normal profile. It might be a pain at first, since it will always ask for administrative credentials when installing software or changing certain computer settings, but it is well worth the sacrifice in ease-of-use to help protect a one’s data.
If you are interested in learning more ways to protect yourself from this growing problem, feel free to reach out to us. If you are also interested in our managed solutions offering you can email our Accounts Executive, Josh Cormie, at josh@infotech.us.

Comments