HOW TO STOP CRYPTOLOCKER RANSOMWARE IN ITS TRACKS

Multiple forms of ransomware, including Cryptolocker, Locky, TeslaCrypt, Petya, and SamSam, have taken captive millions of victims – from small businesses to hospitals and major news sites like the New York Times, BBC, and Newsweek.

American Electric Power, the largest power grid operator in the U.S., was infected with ransomware after a supervisor opened a personal email on a company laptop. Hollywood Presbyterian Medical Center became infected with malware, shutting down its communications capabilities. Ten days later, after having to keep records with pen and paper, the facility paid $17,000 in bitcoin to regain access to its system. Days later, the Los Angeles County Department of Health Services became infected with a program that blocked access to its data.  

Those are just several isolated examples of the havoc ransomware can wreak on businesses 

In particular, Cryptolocker is a family of ransomware whose business model is based on extorting money from users. It hijacks users’ documents and asks them to pay a ransom, usually in bitcoin, with a time limit.  

Cryptolocker ransomware starts innocently enough. A victim receives an email with a password-protected .zip file purporting to be from a logistics company. The Trojan gets run when the user opens the attached .zip file, enters the password included in the message, and attempts to open the .pdf it contains. Cryptolocker takes advantage of Windows’ default behavior of hiding the extension from file names to disguise the real .exe extension of the malicious file. 

As soon as the victim runs it, the Trojan: 

  • saves itself to a folder in the user’s profile (e.g. AppData or LocalAppData); 
  • adds a key to the registry so it runs every time the computer starts up; and 
  • spawns two processes of itself for redundancy. 

The Trojan generates a random symmetric key for each file it encrypts, and encrypts the file’s content. This way, the Trojan makes sure that only the owner of the private key can obtain the random key used to encrypt the file. Also, as the computer files are overwritten, it is impossible to retrieve them using forensic methods. 

When the Trojan finishes encrypting every file, it displays a message asking the user to make a ransom payment before the private key kept by the malware writer is destroyed. 

Unfortunately, so far as we can tell, there are no easy shortcuts to get your data back if you don’t have a recent backup. Here are six ways to try and protect yourself from cryptolocker ransomware threats: 

  1. Backup regularly and encrypt your backup files. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop, or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.  
  2. Don’t enable macros in document attachments emailed to you. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. Many malware infections are dependent on you turning macros back on – don’t fall for that trap.  
  3. Don’t open unsolicited attachments. Hackers are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, don’t open it 
  4. Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary. Avoid browsing, opening documents, or other standard work activities while you have administrator rights.  
  5. Install Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support macros at all, so you can’t enable macros by mistake.  
  6. Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications such as Office, your browser, Flash, and more. The sooner you patch, the fewer open holes remain for hackers to exploit.  

While those best practices are the right actions to take in the short term, it’s important to create and implement a long-term strategy that will catch ransomware and other cyberattacks before they even reach your IT environment.  

We can help: Our solutions are flexible enough to protect you from cyberattacks whether you decide to fortify your existing IT environments or migrate your company into a secure cloud 

  • Protect your company's existing IT environments and data with US Cyber Shield, which instantly detects and neutralizes cyberthreats before they reach your network. Our expert team of intelligence agents combined with distributed denial of service protection, next-generation firewalls, advanced malware, intrusion protection and detection, and data loss prevention technology will secure your company from threats without expensive purchases of brand-new IT infrastructure.  
  • US Cyber Vault protects your assets with hardened security implemented at every layer, from hardware to application. Military-grade encryption is applied to all your data and communications by default and the speed of our threat detection is unparalleled: less than 24 hours, not the industry standard of 7 months. If an unplanned event should occur, countermeasures trap the attacker and mitigate damage while our intelligence team responds immediately.    

 

Written by Rob LaMear, CEO, US Cyber Vault

Once a month we share where we will be speaking in the world as well as expert opinions on cyber security, data loss prevention, and information security that we like from the larger community.  Receive our next issue by signing up here.