Many businesses are losing critical documents and information through renewed attacks on their computers by new strains of the Cryptolocker Ransomware virus. Find out what you need to know and do to protect yourself.
There are steps you should take to protect yourself since the latest version is more virulent than ever and even more destructive.
How the current types differ from older ones
The Cryptolocker threat first hit the headlines back in 2014, you can find out more about this in our original post – GameOverZeus / Cryptolocker Threat Explained.
The current, so-called 3rd generation, Cryptolocker virus has the following new and threatening features:
Extended scope of attack
- Previously an attack was restricted to common file types such as your Office documents. The new version has extended its scope significantly, so it will make more of your files and information inaccessible. It will also attack files that will affect the computer itself.
- In some cases it can even attack files that have been backed-up to local drives and shared storage on servers.
New Apple Mac versions of Ransomware
- Those of you with Apple Macs have enjoyed a degree of immunity from attacks. This is no longer the case, and there are recently documented cases where Macs have been hit. In this case the ransomware is known as “KeRanger” – these attacks started in early March.
Potential threat to smart phones and tablets
- Industry pundits think it may just be a matter of time before our smartphones and tablets are also vulnerable – read more here.
Malvertising on websites
- The most recent IT industry news has confirmed that computers can be infected through adverts that appear on web sites – known as malvertising.
- Some of these sites belong to large and reputable organisations like the BBC and the New York Times where adverts were hijacked with ransomware that demanded payment in bitcoin to unlock infected computers – read more here.
What is Cryptolocker?
Cryptolocker is a form of software known as ransomware – technically it’s not a virus because it doesn’t replicate itself. Once your computer is infected, the ransomware will search for files and encrypt them.
Once this has happened, when you try to open the affected files a pop-up will appear asking you to make a payment in return for a “key” that will allow you to decrypt your files.
The payment is usually requested in bitcoins since this is untraceable and varies from a nominal fee but normally around £300. In the case of large corporations it can run into thousands of pounds.
It is estimated that victims have collectively paid millions of dollars in ransom.
As well as the new attack via Web advertising (malvertising), there are more common sources of attack. The most frequent form is through email. There will be an attachment, disguised as some sort of innocuous document or PDF. Very often the email appears to be authentic or plausible so it’s easy to be lulled into thinking it’s safe to open.
Why is Cryptolocker so destructive?
Attacks are by invitation
- First of all, the attacks happen by “invitation” – they work when we open the file containing the ransomware, hence the description “Trojan”. Cryptolocker is just one of several forms of Trojan.
- When you choose to open a contaminated file, the ransomware can therefore bypass much of the security that you have in place on your computers.
Continually changing with new variants
- The very fact that Cryptolocker changes so often can make it tricky to identify or block, even if your IT security measures are quite sophisticated.
- One of the approaches used by threat management software is to look for “patterns” in emails and attachments that help identify them as viral, but with constant changes this method becomes ineffective unless your threat management is updated frequently.
Security software always playing catch up
- These forms of attack change so frequently that the usual preventative tools are often playing catch-up. They’re known as “zero-day” attacks because there are zero days between their creation and when they’re released into the wild.
Spreads to infect other computers on your network
- Once it has infected one of your computers, Cryptolocker will go on to look for other computers and files that are accessible from the infected one. Any computers connected to your company network are at risk – even files shared on a central location.
Virtually impossible to unlock without a key
- Once infected, your files are encrypted to the same standards used in the highest levels of Internet security. The more secure that computing becomes, the more powerful these sorts of ransomware will become.
- Once files are encrypted, to regain access without the key, you would have to “hack” into them.
- This is nigh on impossible without an extremely lucky guess and could take a standard computer billions of years to find the key. And since most attacks have a time limit (usually 72 hours) in which to pay the ransom – there isn’t much chance of success.
What can you do to protect yourself?
Many companies who have paid the ransom have reported that only some of their files were successfully decrypted. Others have said that none of them were.
On top of this, most ICT security experts take an ethical standpoint and advise that none of us should reward the perpetrators of embezzlement. There’s a consensus that paying a ransom is not the way.
Best practise with email
Simple vigilance will make a huge difference, and much of it is a matter of common sense:
- Don’t open attachments in unsolicited email
- Try to confirm that the sender is genuine
- Be very careful if the subject line in the email promises something that seems too good to be true, something free, or just “looks” like spam (e.g. congratulatory prizes, or garbled text)
- Be wary of emails that appear to come out-of-the-blue from banks, government departments or some other authority, asking you to take action
For more advice about best practise with email see our article below: Staying Safe from Spam and Phishing Emails
Technical measures that will reduce the risk of attack
- Don’t use old versions of software, and in particular versions that are no longer supported. Windows XP and Server 2003 were made obsolete last year, so the software is no longer being patched or updated to help tackle security breaches. This puts you at risk
- Enable a pop-up blocker on your computers
- Make sure you use good anti-spam and anti-virus software throughout your organisation and keep it right up-to-date
- There are a number of unified threat management (UTM) tools that are automatically updated and intelligent – they are able to monitor activities and identify ones that “might” be indicative of something harmful. They work from a central location, so you don’t need to do anything to keep all bases up-to-date
- Make sure you’ve also got good and reliable backups, that run frequently, and that they store your data somewhere other than just on the disk drives of your computers
What to do if you’re infected
Try to isolate the infected computers as soon as you possibly can. The way Cryptolocker ransomware works means that you can mitigate the effect and slow the spread across your network by doing this.
This will make the clean-up process less painful and less time-consuming. It will also reduce the number of files that are damaged.
There are likely to be two major (and, unfortunately, complex) steps that will be needed:
- Multiple virus scans and clean-ups on all your computers and servers using fully updated anti-virus software
- Restoring the scrambled (encrypted) files from known good backup – ensuring that the backup took place before your files were encrypted
Air-IT – we’re here to help
At Air-IT we have experience in helping businesses recover from virus attacks and ransomware. Recovery is messy and you have to be thorough to avoid reinfection. Knowing what is needed and the order to do things can save huge amounts of time and help minimise the harm done to your organisation.
But, just as importantly, we have close relationships with the creators of the best tools, and the knowledge and experience to help you prevent attacks in the first place.