5 ways to defend against ransomware threats
CryptoLocker, a new form of malware, is threatening businesses and individuals of encrypting their files and demanding payment to regain access
ryptoLocker is making headlines for encrypting data and holding it to ransom, but leaving some victims in the lurch despite paying out to regain access to their files. It uses strong encryption, making it next to impossible to crack.
Solution providers said that they are advising clients to first focus on basic security measures and then offering to assess the adequacy and configuration of existing security systems. Addressing ways to reduce the risk of a crippling CryptoLocker infection can thwart other malware threats like it, they say.
The cybercriminals behind the extortion threat, which spreads through email phishing attacks, recently increased the fee to unlock the data the ransomware encrypts from approximately $200 worth of Bitcoins, a digital currency, to about $2,000 worth of Bitcoins, according to Jerome Segura, Reseacher, Malwarebytes, who has been monitoring the threat. Here are five security measures that could be taken to reduce the risk of an infection. Cloud-based backup is fine, but security experts warn that if your cloud backup is set to automatically sync, the files encrypted by CryptoLocker will replace the files synced to the backup service. Businesses and individuals who follow the best-practice 3-2-1-backup rule will be in great shape to recover from a CryptoLocker infection. Keep three copies of any important file; backup important files to two different types of media such as a DVD or hard drive; and keep important files in an off-site location.
Backup alone is no panacea, warns Segura. Recovery from a CryptoLocker infection can take several hours depending on the amount of data that needs to be restored, and downtime can be costly. Individuals who have paid out the ransom have found that the decryption still takes hours and there is no guarantee that malware still isn’t lying dormant on the recovered system.
Cybercriminals have recently increased the fee to unlock the data encrypted by the ransomware from $200 worth of Bitcoins to about $2,000 worth of Bitcoins
Updated antivirus software
According to VirusTotal, a website that checks malware against dozens of antivirus engines, most antivirus software can detect CryptoLocker malware. CryptoLocker spreads via malicious file attachments and can also be detected by antispam appliances and most filtering software.
Beware of relying solely on antivirus software for protection, says Segura. If antivirus detects an infection after files are encrypted, removing the threat can make decryption difficult, he said. Some people have sought to re-infect their systems in order to pay out the ransom to cybercriminals.
To address systems that have had the malware removed, the cybercriminals behind the scam have set up a CryptoLocker Decryption Service. The service, which is cloaked from investigators behind the Tor anonymity network, can produce a decryption key to victims who upload an encrypted file. The service is expensive at 10 Bitcoins, or approximately $2,300.
Businesses that want to ensure that CryptoLocker and other malware threats fail to execute can roll out whitelisting software. Security experts warn that the technology, which maintains a list of known good software, can be burdensome to IT administrators and have a negative impact on end users. Some whitelisting
technologies are not as robust.
Another way to reduce the risk of malware infection is by applying group policies to prevent people from opening executable files. Most people that open file attachments are not going to extract the file first and open it; they will double-click on a zip file, which can be blocked from executing through group policy.
Intrusion prevention systems
Intrusion prevention systems can block the communications protocol sent from the CryptoLocker infected system to the remote command-and-control server where the malware retrieves the key to encrypt the files. Blocking the communications can prevent the encryption from taking place. Security firms have figured out the CryptoLocker algorithm that produces about 1,000 unique domain names every day, says Segura.
By monitoring the domains to determine the IP addresses attempting to connect to them, security researchers have determined that the US and UK are the most affected countries followed by India, Canada and Australia. Researchers at Kaspersky Lab said the threat gives infected systems three days to pay for the key to unlock the encrypted files. Both next-generation firewall appliances and intrusion prevention systems
Businesses who follow the 3-2-1-backup rule will be able to recover. Keep 3 copies of important file; backup them to two different types, and keep a copy in an off-site location
have the ability to provide this kind of protection, say solution providers.
Technology alone is not going to solve the longstanding problem of social engineering techniques coupled with malicious file attachments. Security firms need to build up a security-aware culture to help recognize phishing emails.
Email attachments associated with the CryptoLocker threat are accompanied with Fake Amazon invoice email messages, phony DHL express delivery slips and other common phishing emails that are known to circulate with other malware campaigns, says Segura. The attackers have not regionalized or targeted the campaign at any specific group of individuals, keeping the campaign broad in scope, which potentially makes it easier to identify.
The screen pop-up on the PC infected by CryptoLocker