Cryptolocker: 5 Ways To Defend Against Ransomware Threats

Ransomware Scourge Impacts Businesses And Consumers

Cryptolocker is making headlines for encrypting data and holding it ransom, but leaving some victims in the lurch despite paying out to regain access to their files. It uses strong encryption, making it next to impossible to crack.

Solution providers told CRN that they are advising clients to first focus on basic security measures and then offering to assess the adequacy and configuration of existing security systems. Addressing ways to reduce the risk of a crippling Cryptolocker infection can thwart other malware threats like it, they say.

The cybercriminals behind the extortion threat, which spreads through email phishing attacks, recently increased the fee to unlock the data the ransomware encrypts from approximately $200 worth of Bitcoins, a digital currency, to about $2,000 worth of Bitcoins, according to Malwarebytes researcher Jerome Segura, who has been monitoring the threat. Here are five security measures that could be taken to reduce the risk of an infection.

5. User Education

Technology alone is not going to solve the longstanding problem of social engineering techniques coupled with malicious file attachments. Security firms need to build up a security-aware culture to help recognize phishing emails, said Tom Snyder, president and co-founder of Oakland, Calif.-based Xantrion IT Consulting, which in addition to offering Symantec's cloud-based endpoint protection software, sells email filtering technology via Microsoft Office 365.

Email attachments associated with the Cryptolocker threat are accompanied with Fake Amazon invoice email messages, phony DHL express delivery slips and other common phishing emails that are known to circulate with other malware campaigns, said Malwarebytes' Segura. The attackers have not regionalized or targeted the campaign at any specific group of individuals, keeping the campaign broad in scope, which potentially makes it easier to identify, Segura said.

4. Intrusion Prevention Systems, Next-Generation Firewalls

Intrusion prevention systems can block the communications protocol send from the Cryptolocker infected system to the remote command-and-control server where the malware retrieves the key to encrypt the files. Blocking the communications can prevent the encryption from taking place. Security firms have figured out the Cryptolocker algorithm that produces about 1,000 unique domain names every day, said Malwarebytes' Segura.

By monitoring the domains to determine the IP addresses attempting to connect to them, security researchers have determined that the U.S. and U.K. are the most affected countries followed by India, Canada and Australia. Researchers at Kaspersky Lab said the threat gives infected systems three days to pay for the key to unlock the encrypted files. Both next-generation firewall appliances and intrusion prevention systems have the ability to provide this kind of protection, say solution providers.

3. Whitelisting Technology, Executable Prevention

Businesses that want to ensure that Cryptolocker and other malware threats fail to execute can roll out whitelisting software. Security experts warn that the technology, which maintains a list of known good software, can be burdensome to IT administrators and have a negative impact on end users. Some whitelisting technologies are not as robust.

Another way to reduce the risk of malware infection is by applying group policies to prevent people from opening executable files, said Malwarebytes' Segura. Most people that open file attachments are not going to extract the file first and open it; they will double-click on a zip file, which can be blocked from executing through group policy, he said.

2. Updated Antivirus Software

According to VirusTotal, a website that checks malware against dozens of antivirus engines, most antivirus software can detect Cryptolocker malware. Cryptolocker spreads via malicious file attachments and can also be detected by antispam appliances and most filtering software.

Beware of relying solely on antivirus software for protection, warned Malwarebytes' Segura. If antivirus detects an infection after files are encrypted, removing the threat can make decryption difficult, he said. Some people have sought to re-infect their systems in order to pay out the ransom to cybercriminals, he said.

To address systems that have had the malware removed, the cybercriminals behind the scam have set up a CryptoLocker Decryption Service. The service, which is cloaked from investigators behind the Tor anonymity network, can produce a decryption key to victims who upload an encrypted file. The service is expensive at 10 Bitcoins, or approximately $2,300.

1. Backup, Backup, Backup

Cloud-based backup is fine, but security experts warn that if your cloud backup is set to automatically sync, the files encrypted by Cryptolocker will replace the files synced to the backup service. Businesses and individuals who follow the best-practice 3-2-1-backup rule will be in great shape to recover from a Cryptolocker infection. Keep three copies of any important file; backup important files to two different types of media such as a DVD or hard drive; and keep important files in an off-site location.

Backup alone is no panacea, warned Malwarebytes' Segura. Recovery from a Cryptolocker infection can take several hours depending on the amount of data that needs to be restored, and downtime can be costly, he said. Individuals who have paid out the ransom have found that the decryption still takes hours and there is no guarantee that malware still isn't lying dormant on the recovered system, he said.