One of the scariest bits of malware out there today is the Cryptolocker Trojan. Cryptolocker is ransomware that restricts access to the victim's files until the victim makes a payment to the criminal. Once the payment is made, the criminal may or may not release access to the files.
How does this happen? Cryptolocker starts out like most other malware: as a drive-by download or an email attachment. You're safest if you can stop it at this level. If you already have infected PCs and botnet soldiers on your network, Cryptolocker can be deployed to your network through those computers too. Again, much like any other piece of malware.
Once Cryptolocker is deployed, it installs itself in the Documents and Settings folder and it creates a registry setting that will allow it to run on startup. At this point, it begins to look for control servers on the Internet. The control server will generate a 2048-bit RSA key pair and deliver the public key back to Cryptolocker. The malware then gets to work encrypting all of the targeted file types that it can find on local and mapped drives. Unfortunately, the targeted file types include most word processing and spreadsheet documents, pictures, and CAD files. Malwarebytes has a full list of the targeted file extensions.
- Pay the ransom: this has been suggested by some industry experts because the victim is unlikely to crack the encryption
- Clean the PC and restore from an uninfected backup: assuming the backup is not connected to the infected PC through a working pathway (such as a mapped drive with a letter), the backup should not be infected by this malware.
- Restore from Windows Shadow Copy or system restore, if these are available.
If you plan to pay the ransom, you only have a specified amount of time to do so. After the time specified in the payment screen, the control server deletes the key and recovery is not possible.
There is an amazing amount of helpful discussion on Cryptolocker over at Bleeping Computer forums.
Most of you reading this blog are IT professionals, so you already know how to deal with malware, and you've probably already heard of Cryptolocker. It's been talked about quite a bit for the last few months. However, this is a good reminder to revisit your security software, your backups, and the overall state of your network. Are your users protected from malware? Is there anything more you can do?
If you are battling a budget crunch and you need help selling the decision makers on solutions, consider adding Cryptolocker to your talking points:
- Even police departments and governments are paying the ransom
- Untraceable bitcoins are required for payment, meaning effective legal action and loss recovery are very unlikely
- There is a $100 make-your-own-Cryptolocker kit, opening the ransomware market to pretty much anyone. The Malware Must Die blog has an extensive and updated post on this at Malware Must Die!
- Cryptolocker designers are modifying their business model to remain an effective an active threat.
Solutions like our Barracuda Web Security Gateway, Barracuda Email Security Gateway, and Barracuda Backup, can help you protect yourself from Cryptolocker and recover quickly if you are infected. You should also consider implementing the following:
- User education on spam and phishing attacks
- Regular monitoring of the types of traffic on your network
- Regular backups that are kept off-site
- Proactive patch management
- Good antivirus software that can provide real-time scanning
Take a look at our Barracuda Ransomware site for more information on how we can help you protect yourself.