In this article I will attempt to answer the following questions:
- What is CryptoLocker & CryptoWall Virus
- How you can mitigate the attack?
- How can you rapidly recover if attacked?
- How can you educate your users to help you?
Ransomware stops you from using your computer and holds your files for ransom. Sometimes they are called “FBI Moneypack” or the “FBI Virus” because they use the FBI’s Logos. http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx
CryptoLocker is a ransomware trojan that propagated via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers. The malware then displays a message which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware’s operators, for a significantly higher price in Bitcoin. http://en.wikipedia.org/wiki/CryptoLocker
Cryptowall is a Trojan horse that encrypts files on the compromised computer. It then asks the user to pay to have the files decrypted. The threat typically arrives on the affected computer through spam emails, exploit kits hosted through malicious ads or compromised sites, or other malware. Once the Trojan is executed on the compromised computer, it creates a number of registry entries to store the path of the encrypted files and run every time the computer restarts. It encrypts files with particular extensions on the computer and creates additional files with instructions on how to obtain the decryption key. This threat family attempts to convince the user to pay money in order to get the key to unlock their files. It uses a variety of different techniques in order to encourage the user to pay the ransom. http://www.symantec.com/security_response/writeup.jsp?docid=2014-061923-2824-99
This is an example of the message sent:
The message also contains a link to a website where the user can make the payment. These sites are typically hosted on the anonymous Tor network, which helps the attacker hide their identity. The threat may ask the user to download a Tor network browser in order to view the site, though newer versions of the threat do not require the user to do this. The user may have to pay using cryptocurrencies such as bitcoin to further prevent the attacker’s identity from being traced.
What you can do to protect your business:
One of the best presentations I have found on this subject matter is the one from TrendMicro called Ransomware Security Threats: Defending Against CryptoLocker & CryptoWall, in which their Security expert Jon Clay gives practical suggestions that you can employ regardless of whether you are a Trend customer. He gets into the commercial business items to watch for at 40:00 minutes into the presentation.
Configuring devices for specific purposes and take advantage of certain windows features like APP locker
They’re going to target users with high privileges. Computers only required to use Microsoft Word. You might want to whitelist capabilities
Enable Extended Threat protection Technologies:
Enabling anti-malware solutions. Malware is usually created in order to be customised for your environment so detection is really difficult. So you need to enable threat protection solutions
- Email reputation
- This is really important because this Anti-Spam would have this to ensure that your emails are coming from legitimate addresses.
- True File Type Filtering
- They try to obfuscate the Executable files by naming it a .doc or .jpg or similar. So make sure that scanning software is looking at true file type.
- Web reputation
- Allows you to block websites and monitor website downloads.
- Behavior Monitoring
- Monitoring the behavior of the file as it is accessed. So if the signature doesn’t pick it up then at least the behavior monitoring will pick up if it is malicious.
- Community File Reputation
- New technology where look at look at community files reputation. If it hits parameters if it has been out there less
Back up your backups.
They will encrypt the back-up files. It makes sense therefore to ensure that you back up your backups so that you have additional copies of everything that can’t be accessed remotely.
I don’t always think the US government gives practical and usable suggestions related to IT Security because they typically have enormous resources, budgets and endless tax revenue to use on these issues and Small, Medium, and most Large Enterprises do not. If, however you are interested in what the US government has to say here is an interesting tip summary.
Review your policies regarding email attachment
This is key because things come in via email usually with malicious attachments. Email is also easily circulated. Forwarding emails are so easy and viruses can quickly infect many machines. Most viruses don’t even require users to forward the email – the virus automatically scans the computer and sends the infected message to all contacts. https://www.us-cert.gov/ncas/tips/ST04-010
Block all executable files. If you don’t need to share executables, then Block all of them.
- Save and scan any attachments before opening them– If you have to open an attachment before you can verify the source, take the following steps:
- Turn off the option to automatically download attachments– To simplify the process of reading email, many email programs offer the feature to automatically download attachments. Check your settings to see if your software offers the option, and make sure to disable it.
- Consider creating separate accounts on your computer– Most operating systems give you the option of creating multiple user accounts with different privileges. Consider reading your email on an account with restricted privileges. Some viruses need “administrator” privileges to infect a computer. (This might not be the most practical tip to apply!)
- Apply additional security practices– You may be able to filter certain types of attachments through your email software or a firewall.
- Be sure the signatures in your anti-virus software are up to date
- Save the file to your computer or a disk.
- Manually scan the file using your anti-virus software.
- If the file is clean and doesn’t seem suspicious, go ahead and open it.
Microsoft has invested literally billions in IT Security as most people are aware. Here is how they weigh in on the matter. From an employee education perspective you may want to use your education tools to share tips with employees like the one below. If you need a tool that quickly sends security training information to an employee look into this one that can send a tip to anyone and quiz them on their understanding of it
Don’t be tricked into downloading malware
Instead, follow this advice:
- Be very cautious about opening an attachment or clicking a link in an email, instant message, or post on social networks (like Facebook)—even if you know the sender. Call to ask if a friend sent it; if not, delete it or close the IM window.
- Avoid clicking Agree, OK, or I accept in banner ads, in unexpected pop-up windows with warnings or offers to remove spyware or viruses, or on websites that may not seem legitimate.
- Instead, press CTRL + F4 on your keyboard to close the window.
- If the window doesn’t close, press ALT + F4 on your keyboard to close the browser. If asked, close all tabs and don’t save any tabs for the next time you start the browser.
- Only download software from websites you trust. Be cautious of “free” offers of music, games, videos, and the like. They are notorious for including malware in the download.
- Take advantage of technology—such as Windows SmartScreen in Windows 8—designed to help protect you from phishing scams and new malware that your anti-malware software hasn’t detected yet.
Turn off the automatic update to the Cloud
There is a possibility that your files in the Cloud can also become infected. If you use the Cloud – we recommend that you turn off the automatic update button for this.
I would always recommend you contact law enforcement if you do get encrypted. They will be better placed to give you advice on whether to pay the ransom or not.
In summary, you really need to backup your backups. I say this because this security threat is as much about Disaster Recovery preparation as it is about IT Security products, education, and tips to prevent this from happening. You must assume that it will happen. If it happens, what is next (assuming that you don’t want to pay the ransom). You will resort to your backups which unfortunately will be encrypted with the Virus. Thus you will need to go to the backups to your backups.