Avoiding CryptoLocker

 In Security

We all know how damaging and disruptive viruses and malware can be. It used to be that if you ran the latest antivirus software you could consider yourself protected. Unfortunately, this is no longer the case. We’re seeing more and more clients with up-to-date antivirus software who’ve been impacted by virus infections. One of the worst offenders is CryptoLocker, and it can shut down your whole business.

What is CryptoLocker?

You may have heard of CryptoLocker. It’s been in the news quite a lot recently.

CTB Locker image

CryptoLocker is an unbreakable ransomware that will encrypt all the files on your computer and server, locking you out until you pay for the decryption key. Ransoms typically range from $300 to $500, sometimes with a limited time before the price is raised or before the chance to pay is withdrawn completely. Payment is usually requested in bitcoin (a digital currency); which can be a difficult transaction to execute even if you do decide to pay.

CryptoLocker infections all originate from emails. Victims receive a spam email that appears to be something legitimate and important; like an ATO notice, a billing statement, courier delivery notice or some other notification that may entice them to open the attached file or a link. The attached file or link will actually contain a program that, when executed, will infect your computer with the virus.

You can view a simulation of the CryptoLocker installation process here.

How CryptoLocker will affect your business

For businesses hit by CryptoLocker the immediate impact is loss of data and productivity.

If you have a comprehensive and reliable backup you can choose not to pay the ransom, forfeit your files and start afresh; but even that will cost you money. A few of our clients who have been unlucky enough to get hit with this virus have been able to recover their data, but they’ve lost 24 hours’ access to their files and server while we recover everything costing them thousands in lost productivity. They’ve also lost the data that was generated after their last backup was run.

Unfortunately, many businesses operate without the proper backup facilities and are unable to restore their data after a CryptoLocker infection. For businesses in this horrible predicament, rather than incur greater loss from the downtime they experience in losing important files needed for their business operations, the only option is to pay the ransom and hope their files get decrypted. However, getting funds into a bitcoin wallet and then transferring those bitcoins to the attacker is no easy process – and there’s no guarantee that the data will be decrypted.

Bitcoin ransom note

What you can do to protect yourself from CryptoLocker

Clearly, prevention is better than cure when it comes to CryptoLocker; and even the most up-to-date antivirus software will not protect you. CryptoLocker is constantly evolving with new variants, which allow the virus to slip past antivirus systems undetected. To adequately protect yourself, we recommend the following.

Backup everything!

Have a good backup system that regularly backs up all important data. Although, this seems basic, you would be surprised by how many businesses we see that don’t have backup systems that adequately protect them from data loss. With a good backup system, you can recover from pretty much anything. With a bad backup system, you could lose everything – including your business.

Run an enterprise grade antivirus program

Run up-to-date, enterprise grade antivirus software. While antivirus software isn’t 100% protection, it does offer a level protection and so running it is a good idea. We recommend an enterprise grade paid antivirus product.

Stop the spam

Since viruses and CryptoLocker generally come in via email, it makes sense to fortify your email. The two key systems to implement are:

  • Hosted email scanning to stop spam, malware, phishing, and advance targeted cyber-attacks before they reach your network. This is where your emails are scanned by a third party before arriving at your mail server. These services are more comprehensive than any antivirus software on your computer and will pick up new viruses faster.
  • Attachment blocking that will block zip attachments and only allow known attachments to come in. Many viruses come in via attachments that are designed to look like common office application files such as PDF and Word documents. By only allowing a specific list of safe email attachments you will reduce the chance of receiving something that is a virus. We highly recommend blocking zip attachments as well, as this is a common place for viruses to hide out. It’s annoying, but there are many other methods to send large files.

Restrict user permissions

Create a user restrictions and execution policy to limit the ability for malicious code to take control of the system. Most people’s computer accounts are set up as administrators. This means they have full control over their computer, including settings. When you execute a virus it takes advantage of your account so, if you are an administrator, you have effectively given the virus permission to do anything it likes on your computer. Once the user account is restricted, adding in the execution policy adds a further layer of protection. The execution policy effectively prevents any unlisted software packages running (executing). Viruses – being a form of software – won’t be able to execute when accidentally opened by a user.

Use a firewall

Invest in advanced hardware firewall devices that can filter URLs and traffic. Dedicated hardware firewall devices scan all network traffic travelling between your computer and the outside world. They add a layer of intelligence and will block anything that is suspect. This protects you from virus infections for two main reasons. Firstly, any emails that come in with a virus embedded will be picked up. Secondly, viruses often need to download other components from the internet to fully infect your computer. A hardware firewall will stop this activity.

File monitoring

Monitor the behaviour of the files on servers to detect suspicious activity. File monitoring is the last line of defence. Effectively, your servers can be setup to monitor for any file changes that arise as a result of CryptoLocker. If a file change is detected, an alert can go out and the server can be shut down. This takes the server offline but, in the case of a CryptoLocker infection, you will be saved from mass loss of your files.

User education

This really is the last line of defence but perhaps should be at the top of the list. Educating your team about best practices with emails is important. In simple terms, if you are not expecting an email, don’t open it. Always read the email carefully and check that links are actually pointing to the location they say (hover your mouse over the link to check this). Most virus-based emails are written badly and have bogus links.

Review

We constantly review our strategy for areas like this and where we see a need to improve, we do so. We recommend you do the same. At least every 6 months, review any risks you have in your technology and assess where you need to take action to reduce the risk. CryptoLocker is a very good example of a massive risk with very dire consequences for those unprepared.

Recommended Posts
Webcam toyprotecting-yourself-from-email-viruses