Cryptolocker: How to avoid getting infected and what to do if you are
There's a new piece of ransomware in town; here's how to protect your company's assets
Computerworld - There's a big threat wiling around on the Internet right now: A particularly nasty piece of ransomware called Cryptolocker. Many, many organizations are being infected with this malware, but fortunately, there are surefire ways to avoid it and also ways to mitigate the damage without letting the lowlifes win.
What is Cryptolocker?
Cryptolocker comes in the door through social engineering. Usually the virus payload hides in an attachment to a phishing message, one purporting to be from a business copier like Xerox that is delivering a PDF of a scanned image, from a major delivery service like UPS orFedEx offering tracking information or from a bank letter confirming a wire or money transfer.
The virus is, of course, an executable attachment, but interestingly the icon representing the executable is a PDF file. With Windows' hidden extensions feature, the sender simply adds ".pdf" to the end of the file (Windows hides the .exe) and the unwitting user is fooled into thinking the attachment is a harmless PDF file from a trusted sender. It is, of course, anything but harmless.
Once Cryptolocker is in the door, it targets files with the following extensions:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
When it finds a file matching that extension, it encrypts the file using a public key and then makes a record of the file in the Windows registry under HKEY_CURRENT_USER\Software\CryptoLocker\Files. It then prompts the user that his or her files have been encrypted and that he or she must use prepaid cards or Bitcoin to send hundreds of dollars to the author of the malware.
Once the payment has been made, the decryption usually begins. There is typically a four-day time limit on the payment option; the malware's author claims the private key required to decrypt files will be deleted if the ransom is not received in time. If the private key is deleted, your files will essentially never be able to be decrypted -- you could attempt to brute force the key, but as a practical matter, that would take on the order or thousands of years. Effectively, your files are gone.
Currently, the only versions of Cryptolocker in existence target files and folders on local drives and mapped drives. The malware does not currently attempt to perform its malfeasance over network-based universal naming convention paths, although one would surmise this would be a relatively simple change for the author of the ransomware to make.
Antivirus and anti-malware programs, either running on endpoints or performing inbound email message hygiene, have a particularly difficult time stopping this infection. Unless you have a blanket email filtering rule stripping out executable attachments, and that tool is intelligent enough to do so without allowing the user to request the item's return from quarantine, you will see your users getting these phishing messages attempting to introduce Cryptolocker. It is only a matter of time.
Prevention: Software Restriction Policies and AppLocker
As of now, the best tool to use to prevent a Cryptolocker infection in the first place -- since your options for remediating the infection involve time, money, data loss or all three -- is a software restriction policy. There are two kinds: Regular software restriction policies, and then enhanced AppLocker policies. I'll cover how to use both to prevent Cryptolocker infections.
Software Restriction Policies
Software Restriction Policies (SRPs) allow you to control or prevent the execution of certain programs through the use of Group Policy. You can use SRPs to block executable files from running in the specific user-space areas that Cryptolocker uses to launch itself in the first place. The best place to do this is through Group Policy, although if you're a savvy home user or a smaller business without a domain, you can launch the Local Security Policy tool and do the same thing.
One tip: if you're using Group Policy, create a new GPO for each restriction policy. This makes it easier to disable a policy that might be overly restrictive.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Infographic: Converged Infrastructure Benefits This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Going Paperless? Here's What You Need to Think About As makers of some of the world's most popular PDF solutions, we often consult with businesses & governmental agencies that have the goal...
- The Big Data Opportunity for HR and Finance If CEOs, CFOs, CIOs, and CHROs want to drive their businesses forward, they will need to quickly recognize the enormous value of big...
Enhance Your Virtualization Infrastructure With IBM and Vmware
Date: Wednesday, May 14, 2014, 1:00 PM EDT
Virtualization technology is now expanding beyond the server compute elements to encompass networking and storage...
Transforming Finance, Procurement and Supply Chain Effectiveness with Cross-Functional Analytics
Date: May 6th, 2014
Time: 1 PM EDT
Attend this Webcast to find out how Oracle's packaged analytic applications enable line-of-business managers to examine all...
All Windows White Papers |