One of the scariest bits of malware out there today is the Cryptolocker Trojan. Cryptolocker is ransomware that restricts access to the victim’s files until the victim makes a payment to the criminal. Once the payment is made, the criminal may or may not release access to the files.
How does this happen? Cryptolocker starts out like most other malware: as a drive-by download or an email attachment. You’re safest if you can stop it at this level. (Ahem … Barracuda Web Filter and Barracuda Spam & Virus Firewall are great for this kind of thing) If you already have infected PCs and botnet soldiers on your network, Cryptolocker can be deployed to your network through those computers too. Again, much like any other piece of malware.
Once Cryptolocker is deployed, it installs itself in the Documents and Settings folder and it creates a registry setting that will allow it to run on startup. At this point it begins to look for control servers on the Internet. The control server will generate a 2048-bit RSA key pair and deliver the public key back to Cryptolocker. The malware then gets to work encrypting all of the targeted file types that it can find on local and mapped drives. Unfortunately the targeted file types include most word processing and spreadsheet documents, pictures, and CAD files. Malwarebytes has a full list of the targeted file extensions.
When Cryptolocker has done its damage to the file system, it turns its attention to the victim and presents the above payment screen. At this point the victim has the following options:
- Pay the ransom: this has been suggested by some industry experts, because the victim is unlikely to crack the encryption
- Clean the PC and restore from an uninfected backup: assuming the backup is not connected to the infected PC through a working pathway (such as a mapped drive with a letter), the backup should not be infected by this malware. (cough* Barracuda Backup *cough)
- Restore from Windows Shadow Copy or system restore, if these are available.
- If you plan to pay the ransom, you only have a specified amount of time to do so. After the time specified in the payment screen, the control server deletes the key and recovery is not possible.
There is an amazing amount of helpful discussion on Cryptolocker over at Bleeping Computer forums.
Most of you reading this blog are IT pros, so you already know how to deal with malware, and you’ve probably already heard of Cryptolocker. It’s been talked about quite a bit for the last few months. However, this is a good reminder to revisit your security software, your backups, and the overall state of your network. Are your users protected from malware? Is there anything more you can do?
If you are battling a budget crunch and you need help selling the decision makers on solutions, consider adding Cryptolocker to your talking points:
- Even police departments and governments are paying the ransom
- Untraceable bitcoins are required for payment, meaning effective legal action and loss recovery are very unlikely
- There is a $100 make-your-own-Cryptolocker kit, opening the ransomware market to pretty much anyone. The Malware Must Die blog has an extensive and updated post on this here – http://malwaremustdie.blogspot.in/2014/01/threat-intelligence-new-locker-prison.html
Cryptolocker designers are modifying their business model to remain an effective an active threat.
I would love to have you build yourself a sweet Barracuda defense system with a Web Filter, Spam & Virus Firewall, and Barracuda Backup. (Especially if you mention my name when you buy 😉 ) But that aside, please consider the following:
- User education on spam and phishing attacks
- Regular monitoring of the types of traffic on your network
- Regular backups that are kept off-site
- Proactive patch management
- Good antivirus software that can provide real-time scanning
- Have you been hit by Cryptolocker? Have you prepared a defense against a Cryptolocker attack?