The CryptoLocker virus, actually a trojan horse, has been making a lot of headlines lately. With publications such as ZDNet labelling it the "Menace of 2013" it's not hard to see why. Lets take a look at what all the hype is about.
What Is CryptoLocker?
CryptoLocker is a form of malware known as ransomware. It is called ransomware because it requires the victim to pay a ransom in order to undo the damage caused by it. As of this writing CryptoLocker is only known to target Microsoft Windows based systems.
CryptoLocker infections usually come from one of two sources. The primary method of infection is from clicking a link contained in a phishing email. Fraudulent delivery notifications from UPS, FedEx or DHL are the most common form of CryptoLocker phishing emails.
Another method of infection is from other malware infections. Through their Command & Control (C&C) servers cybercriminals are able to do any number of things to your compromised PC. One of them is to push updated or new versions of malware to your machine. It is through this channel cybercriminals are able to covertly install CryptoLocker on your system. If you were infected by this method it would be a very good idea to scan all your organizations computers with an offline AV product like Windows Defender Offline or Kaspersky's Rescue CD 10. Chances are you'll find a number of infected machines, failing to clean them will only result in additional infections and other headaches.
What does CryptoLocker do?
After a successful installation on a Windows system CryptoLocker "dials home" to a remote C&C server. Once connected to the server it uploads a file (Sophos refers to this as your "CryptoLocker ID") then generates a 2048-bit RSA key pair, one public the other private. The private key, required for decryption, is stored on the remote server while the public key is sent to the infected machine.
Once the private & public keys have been generated the malware looks for and then encrypts certain types of data. This encryption doesn't just affect what's stored on the local machine. CryptoLocker will search for data on network (mapped) drives, USB drives, web-based storage connected to the system (think Google Drive) and any other data it can access.
After it has encrypted the user data CryptoLocker makes itself known. The malware will display a pop up informing the user of the infection. It will tell the user they have 72 hours to pay the ransom or their data will be lost forever. Clicking Next>> on the malware pop up will provide instructions on how to pay the ransom.
I cannot stress this enough, DO NOT PAY THE RANSOM. Remember, you are dealing with criminals, there is no guarantee you will receive the private key if you pay. As of this writing there is no way of decrypting data affected by CryptoLocker.
What types of data does CryptoLocker target?
CryptoLocker targets a wide variety of file types. Documents, spreadsheets, PDF documents, pictures, video, Outlook mail files, databases and more are all targets. CryptoLocker even goes so far as to encrypt certain types of certificate files (*.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c). This could cause a lot of problems if your organization is using certificate based authentication or other services that rely on certificates.
What can I do to defend against CryptoLocker?
Here is a list of things to help mitigate a potential CryptoLocker infection:
1. Raise awareness of phishing, and other threats, throughout your
organization, i.e. a Security Awareness program
(See my 2013-12-17 post for some free resources to help out here)
2. Make sure all computers have anti-virus software installed & the
virus definition files are current
3. Ensure all systems, both the operating system and applications,
are up to date with any patches or hotfixes
4. Perform regular backups of your critical data. This requires
either a tape (old school) or disk based (HDD/CD/DVD)
solution. Online services that backup data can mistake the
encrypted file as the newest version and archive it
leaving nothing but encrypted backups with the service
5. Do not put users in the local/domain administrators group(s).
The malware can only encrypt data it can access so limiting a
users privileges can help mitigate the damage of a CryptoLocker
infection
6. Perform regular audits of file shares and applications.
Implement a "principle of least privilege" approach, if a user
doesn't require access to a resource then they should not have
access to it
7. Use Windows Volume Shadow Copy Service (VSS), this is not a cure
all but it has been known to assist in recovering
unencrypted versions of CryptoLocker affected files
No comments:
Post a Comment