What is ransomware?
Cryptolocker is a type of ransomware, which Microsoft defines as malicious software that locks a
computer and retains control until you pay a certain amount of money. Ransomware can appear in
two forms – either by locking your screen with a full-screen image or webpage to prevent you from
accessing your PC, or by locking your files with a password so they can’t be opened.
What is Cryptolocker?
Cryptolocker has been a particularly sophisticated ransom-ware variant of the password type, wrapping up victims’ files and data in several layers of virtually unbreakable encryption before demanding ransoms of several hundred dollars. This type of ransom-ware has been so successful that Dark Web sites are now offering custom Cryptolocker creation services online to make running a ransom operation as simple as making a purchase off Amazon.
Signs of infection?
All of that happens in the background, before the user knows he or she has been hit. The first sign of infection is typically a pop-up window, which tells the victim that his or her important files have been encrypted and setting a time limit for payment before the private encryption key is destroyed and the files are lost forever. This can often include shared network files on a company network!
How does Cryptolocker attack?
Cryptolocker typically relies on social engineering to infiltrate your environment. Spoofed emails are its best-known tools of attack, although some variants and copycats have been known to attack via drive-by download advertising or peer-to-peer network file sharing. The emails are sent from a spoofed address from a well-known company and include an enticing subject line – “ADP Payroll Alert” or “USPS Missed Package Delivery” are two known examples.
The emails will also include.zip files with similarly common names, like “ADP_Invoice_6556263.zip” and “Case_8377754.zip”. Within those .zip folders is a file disguised as a common extension – .docx or .xls. However, In reality the .zip contains an .exe which downloads onto the target computer configure itself to run on startup. Once downloaded, the malware establishes communication with a command and control server. Cryptolocker relies on a domain generation algorithm and hops between new servers routinely to avoid detection. Once the server connection is established, the malware generates a pair of encryption keys – one public, one private – using the huge RSA-2048 bit encryption algorithm and military-grade 256-bit AES encryption.
The public key is sent back to the target computer and is used to encrypt the victim’s files, scanning for popular business file extensions like .docx, .ppt, .xls, .accdb, and many more. The private key is kept back on the Cryptolocker server and is the only tool users can deploy to decrypt these files.
A quick response it critical! Government actions can severely complicate recovery when a ransom has to be paid.
Tip#1: Educate users on security
Education is still the best way to avoid infection by Cryptolocker – or any other form of malware or virus. Companies should make their employees aware of popular social engineering methods and tactics so that they don’t fall victim to spoofed emails or messages.4 Habit for Staff
Tip#2: Back up your data to offsite location
Offsite backup is a critical component to a Cryptolocker recovery strategy. Webroot says cloud backup
is “highly recommended” for mitigation, adding that “offsite backup has long been an essential part of
any Disaster Recovery plan.”
We had an employee with too high of security access for her own good, and Cryptolocker got our legacy application data. Obsidian Group was able to negotiate a recovery the same day, and had us fully working again the next day.
Owners wife accidentally installed Cryptolocker, and lost critical company shared documents over long weekend. Government enforcement actions complicated recovery, but Obsidian Group was still able to recover the data.
We are a client of Obsidian Group, but my home system was having problems. Obsidian Group identified the problem as Cryptolocker, and was able to recover data without paying ransom.