It is hard to imagine doing business, maintaining patient records, reading the news, sharing photos or even socializing these days without utilizing computers to research, store, and update our important information. It goes without saying that our computers and networks store a lot of critical data that we simply expect to be available as we need them. But what if we told you the availability of your important sensitive data could come to a grinding halt with one wrong mouse click? What if we told you all of your photographs, documents, spreadsheets and more could be kidnapped and held for a costly ransom?
Holding Your Data Hostage
Ransomware is not a new concept. It has been around since 1989 with the creation of PC Cyborg, but since about Mid-September of 2013 we have noticed a new level of sophistication in the form of a cryptovirus called CryptoLocker.
CryptoLocker initially found its way around the internet disguised as a legitimate email attachment. Targeting all versions of Windows, it would appear to be from UPS, FedEx, or some other seemingly legitimate sender and have an attachment that looked like a PDF file. Some reported CryptoLocker email subject lines read:
- USPS – Missed Package Delivery
- My Resume
- New Contract Agreement
- ACH Notification
Once an unknowing user clicked on what appeared to be an innocuous PDF file, CryptoLocker would install itself and begin systematically encrypting documents, photographs, spreadsheets and many other file types. CryptoLocker also encrypts shadow volume copies used in System Restore crippling your ability to roll back to a previous date before the Trojan infection.
After initial encryption is complete, a message will appear on your screen prompting you to pay a certain amount of money in order to decrypt your files (There have been reports of $100 to more than $300 in ransom demands.) Along with the demand for payment, there is a timer counting down on the screen. Above the timer you are notified that if you do not pay the ransom by the designated time, the encryption key needed to unlock your files will be destroyed. Some have reported that the creators of this Trojan-virus do not destroy the encryption key after the timer runs out, but simply double or triple the ransom demand.
Once your files are encrypted using a combination of RSA & AES encryption they are completely inaccessible to you. There is no known way to retrieve the key to decrypt your files without paying the ransom, and even then- there is no guarantee your files will be unlocked. Worse yet, the Trojan searches your computer for mapped drives and can also encrypt those files. This means if you are connected to a network and have folders mapped to a drive letter, those networked drives are potentially in danger as well. As long as the virus is on your computer, it will continue to search accessible folders and drives for files to encrypt. This could be disastrous to a network of any size, especially where the integrity and availability of sensitive information is mission critical.
Removing the virus is a relatively simple task, however once it is removed, there is no way to pay the ransom and hopefully decrypt your files unless you reinstall the virus. Even still, there is no guarantee that your files will be decrypted after the ransom is paid if you do choose that route. Some report paying the ransom and were unable to decrypt their files while others claim they paid, and their files were decrypted within fifteen minutes. Loricca does not recommend paying the ransom, but to mitigate risk through threat management.
CryptoLocker Evolves
Just when you thought it couldn’t get worse, since the initial reports of this diabolical extortion, it appears that what began as a lesson in safe computing just may become an exercise in futility unless proper education and preventative measures are taken.
It’s been reported that cybercriminals have taken CryptoLocker and morphed it into a few more dangerous variants that can be imbedded in landing pages disguised as a music track or distributed through vulnerabilities in popular software programs like Java, Flash and others. A newer threat called PowerLocker has evolved the danger from a Trojan to a worm. This means the virus no longer needs an unsuspecting user to click on or open a file to infect their computer, but that the malware can now propagate itself throughout a system or network without any human interaction.
As of last week it has also been rumored that these iniquitous coders are packaging this software up into a crime-pack offering to sell the virus for the low price of $100 to any evil-doer that desires to customize and release his or her own version of this digital nightmare. If the purported story proves true, it could potentially have quite a devastating effect.
While experts have said this is not the worst virus threat they have seen, it can certainly bring a business to its knees if they do not have adequate risk/threat management procedures in place.
How Can You Protect Yourself?
MOST importantly, backing up your data on a regular basis is critical to maintaining the integrity and availability of your information should you become infected. Remember, if you have to restore from a backup, the integrity of your information is only as valid as your most recent backup. Meaning if you make a lot of changes to your data on a daily basis, it would be a good idea to perform a backup of this information on a daily basis as well. Backups should not be stored on the same computer or network shares that you have write access to as the virus could damage those backups as well.
Always maintain up-to-date and active virus scanning software.
Keep your software up to date. Java, Flash Player and other such programs provide frequent updates addressing security issues. It is important to ensure your programs are patched and up-to-date to help mitigate threats that have already been addressed.
Never click on links or open attachments unless you are absolutely sure it was deliberately sent by a known safe source.
Refrain from giving administrative rights to user accounts.
Ensure access controls are set to the minimum necessary to perform your job functions. Do not give yourself or anyone else write access to files you only need to read.
If you do find yourself infected with the CryptoLocker Trojan or the worm variant, it is highly recommended that you disconnect from the network immediately. If you are using an Ethernet connection, unplug the cable. If wireless, turn off your Wi-Fi. This is a two-fold benefit. The virus needs internet connectivity to encrypt your files and it will also prevent the Trojan or worm from spreading to other drives on the network.
Be aware that external thumb drives and connected media storage devices are at risk of becoming infected if plugged in to a machine or network affected by the malware.
It is recommended that IS departments monitor their networks for massive amounts of changed files within a timeframe, or File Integrity Monitoring (FIM). Using FIM software can alert if changes are above a certain threshold and can help detect if such a threat is spreading on the network allowing for isolation of infected machines and mitigate further damage.