The bad-guys are getting smarter, taking advantage of tactics used by criminals for centuries. Ransom and extortion have long been used due to the way they invoke very personal feelings of dread and loss. We all know it’s bad to give money to bad people who’ve done bad things, but nonetheless it’s a very effective means of getting what you want.
Cryptoviruses typically inject a hidden process (program) onto a computer which quietly scans the local machine and the network for anything it can reach and modify. It then uses a private key to encrypt those files, essentially locking you out of them until and unless you pay a fee (ransom) for the decryption key. To make matters worse, the key is often time-bombed, requiring that you purchase the decryption key quickly or risk losing your data forever.
To complicate things further, the bad-guys often require payment in a currency form of crypto-currency called Bitcoin, which can take 7-10 days to fund from a US bank account. This delay is due to the non-regulated nature of the bitcoin industry. Most credit card vendors will not allow you to fund a bitcoin account. The banks are not big supporters either, often resulting in caps on the total amount you can use to fund a bitcoin account during a given transaction.
Making matters even worse (yes, worse), over time the ransom may go up, leaving you having to guess how much cash you ultimately need to convert into bitcoin currency. If you don’t allocate enough and the key expires, you’re done. If you allocate too much, it may take months to convert it back into legitimate currency.
Can’t antivirus help? Sometimes. But with zero-day attacks becoming more common, it’s nearly impossible for vendors to stay on top of the threats. In a recent attack against one of our clients, a Trojan-horse carrying a CryptoLocker-style component made it past 5 lines of defense. This included a very well-known anti-spam/anti-virus platform, two totally different firewall platforms, an Exchange-based antivirus engine and a client-side antivirus scanner. The threat? A simple attachment from what looked to be the US Postal Service about a delivery failure for a package.
Education is likely the best method of protection at this point. Since these threats occur in real-time, it’s important to train users about how to act when they receive a seemingly innocuous email, especially when it comes unexpectedly. It’s also an opportunity to leverage the tools you already have. Many of the firewalls we deploy today have the option to strip and/or block scripts from within documents. Unfortunately, many clients feel this is a hindrance, as the scripts may be key to the functionality of the attached documents. However, this is one of the most common methods of delivering the fatal cryptovirus blow.
So what do we suggest? How do you avoid cryptolocker viruses? Tighten up all of your perimeter defenses. Ensure that firewall settings are as restrictive as you can possibly live with (this includes content filters, blocking known bad sites, etc.). Ensure that your users do not have more computer administrative rights than they need. Implement document/content management tools to put an added security layer between your users and your documents. Implement maintenance windows to allow for security patching on a regular basis. The old idea of “don’t fix it if it isn’t broken” should be thrown out the window. Security patches have a purpose and at a minimum, these should be implemented as soon as possible. Finally, implement a backup platform that supports your recovery point objectives (RPO) and know what it costs you to be without that data. Backups are the only method (short of paying ransom) of truly protecting your data.
For more information on the importance of implementing a solid backup and disaster recovery strategy, read our recent blog post: What’s wrong with old-fashioned backups?