CryptoLocker_Ransomware

There’s a new beast in town and if you’re one of the unlucky folks to cross its path, then you’re either a few hundred dollars poorer or you’re stuck with a hard drive (or more) with encrypted data that you can’t retrieve (unless you have backups).

The CryptoLocker Virus is a nasty piece of malware doing the rounds that encrypts files on a victim’s computer and issues an ultimatum: Pay up or lose your data. CryptoLocker’s raison d’être is to literally extract a ransom from its victims, which is why malware of its type is also known as “ransomware”.

Among others, the malware is spread through emails purporting to be from some well-known brands, and there are reports that the malware could also come as an attachment in emails which look like voicemail messages, but which are obviously fake. When you click on the attachment, CrypoLocker installs itself on your computer, takes a look at what you have on your hard drive (as well as mapped network drives), encrypts a variety of important file types such as photos and documents, and then begins its ‘negotiations’.

A pop-up window with a 100-hour countdown begins and you’re given details how to pay the ransom, which typically ranges between $100 and $700.

Now this is where it becomes nasty. If the money is paid before the timer is up, a key is supplied to decrypt the files. If payment is not made, the key is destroyed and those files are lost forever. Encryption technology such as that used by CryptoLocker is specifically designed such that encrypted data cannot be recovered unless the required key is available, so if the creators behind CryptoLocker are really destroying the keys when the ransom is not paid, then the distinct possibility exists that the data is really lost forever – even if the authors of CryptoLocker are eventually caught.

The good news (thus far) is that if the victim pays the ransom, the files are actually decrypted, even though glitches with the decryption have been reported too. Meanwhile, the cyber crooks take the cash and run.

CryptoLocker is billed as one of the most dangerous pieces of ransomware to appear, so what can you do to prevent it from infecting machines and, more importantly, not lose your precious data?

It is highly recommended that you have antivirus software installed and make sure that the product also scans your emails for malicious files and malware. If you’re a sys admin, it’s worth investing in an email security product that trumps desktop AV in one very important area: the number of AV engines that protect your systems.

A number of reports from the field, including our technology partners Technica Solutions, indicate that there are third-party products that are not catching all the variants of CryptoLocker. Using multiple AV engines is one way of mitigating this risk – this way you leverage the efforts of multiple independent AV labs, you get protection from the lab which delivers it first (which can vary), and you stand a better chance of at least one of the AV engines nailing CryptoLocker before it causes any damage.

Alex Cachia, director of engineering at GFI®, has some very good and timely advice:

“Gone are the days when we were dealing with script kiddies who were out for some ‘fun’, with all the trouble they caused simply being collateral damage. We are now dealing with cybercriminals who have the technical knowledge, the resources and, above all, a financial incentive, to bypass security and infect victim’s machines. The CryptoLocker Virus is a perfect example of a piece of malware that can cause so many problems.”

He adds: “We recommend the use of multiple AV engines, and not to depend on the single AV engine on the desktop. If the latter fails to catch the problem, you’re in trouble. One of our customers using GFI MailEssentials® with its EmailSecurity module enabled nabbed CryptoLocker thanks to two AV engines blocking it. Others who did not have GFI MailEssentials were not so lucky – and if you’re running GFI MailEssentials with the Anti-Spam module only enabled, it is high time to enable the EmailSecurity module.”

Alex also recommends that companies make sure they have backups that are up-to-date (and tested) and to tell their employees to be vigilant when opening files and clicking on links.

“If a link or a file looks suspicious, flag it to your sys admin. It may be a healthy file, but it could be CryptoLocker. And you don’t want to be the poor guy who triggered CryptoLocker at your workplace” Alex suggests.