CryptoLocker & the dangers of ransomware

By the time you see the alert, it's already too late...

We've seen a spike in malicious activity over the past few weeks, attributable partly to the discovery the Heartbleed bug and the end of support for Windows XP. One of these new attacks comes from CryptoLocker, a piece of ransomware first detected by Sophos. This one packs quite a punch: By the time it lets you know your computer's infected, the damage is already done. And trust us, it's done a whole lot of damage.

What is ransomware?

"A computer virus is a malware program that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs" (source: wikipedia)

Ransomware differs from the typical virus. Viruses, by definition, are self-replecating, which CryptoLocker is not. It was first reported by the Royal Mail in the UK as originating from spam email containing a link to the malicious package, which has to be run by the user. That's the good news - it can't spread itself on your network.

Ransomware "restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed." (source: wikipedia)

The bad news is that, as its name implies, ransomware holds your system ransom. The first thing this package does is corrupt your files - all your files. Photos, videos, office documents; Local files, network files, shared files... Then a warning screen from the criminals alerts you, telling you that your files are "encrypted" and demanding that you pay a ransom via electronic fund transfer - within 72 hours - or your files will be lost forever.

CryptoLocker pay screen

To obtain the private key for the computer, which will automatically decrypt files, you need to pay 300 USD / 300 EUR / similar amount in another currency

What should I do?

Remove the program?

CryptoLocker isn't particularly hard to remove. It can be cleaned fairly easily by a number of anti-virus packages, or by one of our technicians. Remember, though, your files are already corrupted, and removing the program won't fix that.

Pay the ransom?

Your files are encrypted. Removing CryptoLocker won't help - in fact, it will guarantee they can't be fixed. There are reports that after verifying your payment, the criminals will proceed to decrypt your files, though the process can take several hours and is not always successful.

So, do you pay? That boils down to a few questions about you:

  1. What's your policy on negotiating with terrorists?
  2. Do you have a good backup?
  3. Do you trust criminals to actually follow through and decrypt your files?

Better hope you have a good backup...

The most important part of any IT infrastructure is not the power of the server, the speed of the network, or the health of the computers. Far and away, an effective backup is the most crucial component. CryptoLocker is just one example why.

If you have a recent backup of your files, the solution to CryptoLocker is simple: Wipe the system, restore the backup, return to work. Unfortunately, if your backup is old, unreliable, out-of-date, or worse - you have no backup - the solution is not quite as clear.

If you can't say with absolute certainty that you have an up-to-date, effective backup system, then you are at risk. You can put tens of thousands of dollars into ERP, CRM, hardware updates and system maintenance, but if you're not investing a few hundred dollars (and yes, it can be that cheap!) into a reliable backup plan, then you risk throwing all that money away.

How can you protect yourself?

Because CryptoLocker isn't a virus and is activated by the user, there's only so much even the best anti-virus protection can do for you. The only way to truly protect yourself is to be aware. Scrutinize emails before your act on them. Never click on links when you have any doubt about their origin or their legitimacy.

Known spam emails

To help protect you from this particular attack, here is a partial list of known CryptoLocker email subjects:

USPS - Your package is available for pickup ( Parcel 173145820507 ) USPS - Missed package delivery ("USPS Express Services" <>)
USPS - Missed package delivery FW: Invoice <random number>
ADP payroll: Account Charge Alert ACH Notification ("ADP Payroll" <*>)
ADP Reference #09903824430 Payroll Received by Intuit
Important - attached form FW: Last Month Remit
McAfee Always On Protection Reactivation Scanned Image from a Xerox WorkCentre
Scan from a Xerox WorkCentre scanned from Xerox
Annual Form - Authorization to Use Privately Owned Vehicle on State Business Fwd:
My resume New Voicemail Message
Voice Message from Unknown (675-685-3476) Voice Message from Unknown Caller (344-846-4458)
Important - New Outlook Settings Scan Data
FW: Payment Advice - Advice Ref:[GB293037313703] / ACH credits / Customer Ref:[pay run 14/11/13] Payment Advice - Advice Ref:[GB2198767]
New contract agreement. Important Notice - Incoming Money Transfer
Notice of underreported income Notice of unreported income - Last months reports
Payment Overdue - Please respond FW: Check copy
Payroll Invoice USBANK
Corporate eFax message from "random phone #" - 8 pages (random phone # & number of pages) past due invoices
FW: Case FH74D23GST58NQS Symantec Endpoint Protection: Important System Update - requires immediate action


Comments are closed.