Cryptolocker: Highly Motivating Ransomware
Ransomware is nothing new. Basically, this software hijacks your computer in some way or another, and demands payment in no uncertain terms.
Most of the time, a technically competent person can go in and remove the lock and all is right with the world. You can pay them all you want and it won’t do you a bit of good.
Recently, a troubling variant has been making inroads on unprotected mailboxes worldwide. Called Cryptolocker, this virus installs itself to your computer and encrypts all data files it can get it’s hands on. It goes to your network shares and goes to town on those files as well. Promptly, you’ll be greeted with a dialog demanding payment of $200-$300 via their preferred payment method, as well as a ticking clock granting you 92 hours to comply with their request. There is some honor among these theives, if you comply they will attempt to and often succeed in granting access to these files.
Using AES encryption, once these files are encrypted there is nothing we can do. We will be restoring from your most recent backups – provided the tool did not encrypt those. Depending on your backup scheme, it is a real possiblity this could occur.
There are some steps you can take to make sure we’re not restoring that backup – or worse:
- First, do not open unidentified email attachments. Common ruses include UPS/USPS tracking documents, XEROX, Wells Fargo and other notable corporate ‘secure documents’, and unknown ‘friends’ asking you to “check out this file”
- Utilize an online backup system not directly accessible through mapped drives to keep that data off-site. It effectively puts it out of reach of the attackers and can often be run multiple times per day.
- For on-site backup systems, create credentials for the backup system to enable only that system user access to those files. Windows file permissions if configured properly can make this impossible without intimate knowledge of the system.
- Run and maintain antivirus software from a reputable vendor. TreatTrack Vipre, Kaspersky are two that come to mind.
- Operate your computer in a user-mode rather than as an administrator. Password protect the administrator account.
- A free application easily can implement restrictive security policy onto your workstation, CryptoPrevent. Please note this may interfere with normal operation of your system which may require technical expertise to resolve. Use this at your own risk. Following a correct backup procedure and using best practices should be sufficient unless you are engaging in high-risk activities.
For more complex installations, there are several measures your IT provider can implement on a network-wide basis that are very effective but a bit more technical in their implementation. Consult a professional.
I do not wish to scare you, but if you follow the above tips you should be relatively safe.