Most IT professionals will have heard the phrase Cryptolocker by now, but unless you’re in enterprise security or have been affected by it or one of the numerous clones – you probably don’t know much about it. You really should, once a computer is infected the payload encrypts certain file types – locally and on network shares – with RSA Public Key Encryption, it’s pretty much unbreakable via brute-force and if you don’t have a backup – those files are rendered inaccessible until you can get the decryption key from the author for an extortionate fee. Not good news for those holiday snaps on the home PC but very bad news if swathes of business critical data are affected.
The original incarnation of Cryptolocker was released into the wilds of the Internet in September 2013 and propagated itself via email. It was isolated in May 2014 and subsequently deactivated in June that year by the US Dept of Justice Operation: Tovar.
As part of that operation Fox-IT, a Dutch security firm were able to procure the encryption keys for the original Cryptolocker and created a web portal to facilitate the decryption of files encrypted by that version Cryptolocker.
Unfortunately like the proverbial Hydra, cutting off one head gave rise to multiple heads or in this case multiple Cryptolocker clones and analogues – using varying forms of encryption and now with many different authors extorting money.
Cryptolocker is now just one of a growing trend in serious encrypting-software threats colloquially known as Ransomware. Ransomware is aimed at gathering more than personal information from us, it wants our money – it’s quite insidious in how it goes about it, and if you get infected chances are the only way to decrypt the files is to pay the ransom. Some Ransomware is based wholly or in part on the original Cryptolocker and some utilise different attack vectors but the intent is generally the same, infect, encrypt and extort.
Any significant threat requires suitable counter-measures, which brings me to the first step in protecting against Ransomware infection:
Ensure you have a reputable AV solution such as BitDefender that uses heuristic monitoring for threats. New threats come out all the time and don’t always look immediately suspicious, most files we use now have their extensions hidden in Windows Explorer – so the file extension is not obvious, some of the Ransomware about today even has customised icons that look convincingly like PDF, MS Word and other documents familiar to us.
In today’s busy world we increasingly click email attachments from people we know without thoroughly checking what the attachment is, and the deception of the Ransomware author relies on this.
Using AV software such as BitDefender that utilises heuristic application behaviour rules in addition to traditional virus definition updates will give you a good degree of confidence that even 0-Day threats that are not contained by email scanners or within the virus definition updates of your AV, will be prevented from running.
Heuristic rules are essential in combating any 0-Day threat but since file encryption is a normal function of Windows, the Ransomware payload is not always detected by traditional AV or is not detected until the encryption process has already started.
The second step is aimed at damage limitation in case of infection:Regularly backup mission critical data to a repository that is kept offline when not being written to/from. Some but not all Ransomware has been known to encrypt files on local storage, attached storage (such as USB and external HDDs) and network shares. For this reason simply backing your local files up to a network share is not necessarily sufficient protection. The only complete guarantee against potential data loss is to perform regular backups and then offline the backup media to ensure it is isolated from potential sources of infection and by consequence encryption.
This may seem extreme but you have to consider the value of the data to your business and how significantly mission critical data loss would affect the operation of your business to determine the level of precaution that is justified.
In addition it could be argued that Active Directory Group Policies can be implemented to restrict running exe files as an additional measure, again it comes down to how far you are prepared to go to protect your data.
Of course the best practise of not opening unknown email file attachments and verifying that files seem legitimate is always a good idea! In taking these or similar precautionary steps, you can have a good degree of confidence that Ransomware has its work cut out to firstly infect and damage your data and secondly that in the unlikely event it gets through your outer defences, the damage it can cause is limited and more importantly, is not catastrophic to your business.
To summarise the top 5 tips to protect your business against ransomware are:
| 1. | Re-educate you users on the need to be vigilant around opening email file attachments even if they are from a known sender |
| 2. | Educate your users on how to spot executable files disgguised as other file types (Word/PDF/etc) |
| 3. | Have and use an enterprise grade AV solution that uses heuristic monitoring rules- essential in protecting yourself from 0-Day threats |
| 4. | Regularly back-up files using a solution that either prevents access to the backup repositories (such as Veeam) or is able to isolate the backups from netowkr/remote access in case of infection |
| 5. | Depending on how disruptive it would be in your environment, use Group Policy to prevent to running of unorthorised executable files |
Leave a Reply