Threat Name: Cryptolocker
Threat Type: Ransomware
Primary target: Business users, PC users
Date discovered: Sept. 2013
What it does:
Cryptolocker encrypts files and charges a ransom to decrypt (i.e. unlock) them.
The malware searches local and network drives and shares for files associated with popular business applications. Once found, the files are encrypted and the user must pay a fee within 72 hours to unlock them. If the fee is not paid, the files remain encrypted permanently.
The ransom can range from roughly $100 to $1000 and typically must be paid in bitcoins. Reports indicate that paying the ransom can result in decryption (we do not recommend this).
How it spreads:
- Email attachments – The malware is primarily spread through email attachments that must be downloaded and opened. The emails often purport to be from a shipping company, such as FedEx or UPS, and the attachment is purported to be tracking information.
- Removable drives – Variants of the malware can spread through connected drives, such as USB thumb drives. Connecting an affected drive is enough to transmit infection. The malware can find and infect files in shared network drives, USB drives, external hard drives, network file shares, and even some cloud storage services, according to US-Cert.
Cryptolocker Prevention Kit
Files encrypted by Cryptolocker are all but impossible to unlock without the key. IT service providers should proactively block the malware.
The kit uses a group policy to disallow applications from running in the locations used by Cryptolocker.
“So far, the virus hasn’t really morphed. It’s still trying to use the same locations. It will be really easy to adapt this group policy when it does,” said Babinchak.
How to prevent and mitigate:
- Backup – Maintain backups onsite and offsite. Test them often. Ensure they are configured to prevent backup of infected files
- Limit – Classify data and limit access to important files.
- Update – Maintain updates for your anti-virus, system, and applications.
- Educate – Explain to clients the dangers and warning signs of phishing emails and suspicious attachments. ThirdTier has a great alert email you can send to clients.
- Tweak – Use software restriction policies to block the malware from infecting Windows-based systems. For details, check Third Tier’s Cryptolocker prevention kit.
How to recover:
Aside from restoring affected files from backup, it is all but impossible to fully recover from Cryptolocker. After 72 hours, the malware destroys the decryption key and the affected files remain locked.
The documents in ThirdTier’s kit also include detailed instructions on how to mitigate damage and recover.
Summary of recovery steps from ThirdTier:
- Do not pay the ransom. If you must, then use a pre-paid debit card.
- Scan the systems to determine how many files are encrypted.
- Attempt to clean the system.
- Delete infection points
- Restore from backup
- Review how the infection entered the system