The Who, What, When and Where of the Bad, Bad Cryptolocker Ransomware
At last week’s Hedge Fund Launch 2.0 seminar, the topic of the malicious Cryptolocker malware that is circulating was highlighted as a wakeup call for why backup and security are nonnegotiable IT components. Questions abounded about this new evolution in malware so today’s post aims to address the who, what, when and where of Cryptolocker as well as a few other common Qs.
What is Cryptolocker?
Cryptolocker is a new variant of ransomware that restricts access to infected computers by encrypting them and demanding that the victim pay the attackers a ransom in order to decrypt and recover their files. Some versions of Cryptolocker can encrypt local files as well as external hard drives, network file shares and even cloud storage services that allow local folders to sync with online storage. The malware is severe and a real threat. If a company becomes infected and does not have their files backed up the files may be lost.
At Eze Castle Integation we have had clients become infected. Thankfully in these cases the clients had the appropriate backup systems in place and were able to restore the files to the pre-infection state. As of this time, the US-CERT says the primary means of infection appears to be phishing emails containing malicious attachments. The attachments may look like legitimate emails, so it is important to remind users not to click on any email links if they do not know the sender.
Who is behind Cryptolocker?
This is a difficult question to answer as it appear there may be a few different cyber-attack groups using CryptoLocker at the moment. What is known is that attackers demand a ransom payment in a number of different payment methods, including Bitcoin, that allows them to stay anonymous. Bitcon is an open source peer-to-peer payment network.
Where and who is Cryptolocker targeting?
According to Kaspersky’s Costin Raiu, this malware primarily targets users from US and UK, with India, Canada, Australia and France being second-tier targets.
What’s the difference between Ransomware and Cryptolocker? (This Q&A comes direct from Symantec)
The difference between Ransomlock and Cryptolocker Trojans is that Ransomlock Trojans generally lock computer screens while Cryptolocker Trojans encrypt and lock individual files. Both threats are motivated by monetary gains that cybercriminals can make from extorting money from victims.
What happens if my computer is infected?
According to Kaspersky, once infected, the ransomware-interface displays a countdown clock of three days, warning users that if time elapses, the private decryption key will be deleted forever, and there will be no way to recover the encrypted files.
At this point, users have two choices: 1) pay the ransom and hope the attackers make good on their “promise”or 2) recover their data from backups. Any hedge fund or investment management firm should be able to confidently select option number 2. Regular backups are a nonnegotiable part of a hedge fund’s data protection strategy and the cryptolocker virus highlights just why.
US-CERT also suggests the following possible mitigation steps that users and administrators can implement if they believe a computer has been infected with Cryptolocker:
- Immediately disconnect the infected system from wireless or wired networks. This may prevent the malware from further encrypting any more files on the network.
- Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware.
- If possible, change all online account passwords and network passwords after removing the system from the network. Change all system passwords once the malware is removed from the system.
What can we do to avoid getting infected?
Here are a few things you can do to prevent your PC from being infected:
- Most viruses are introduced by opening infected attachments or clicking on links to malware usually contained in spam email. Have users avoid opening emails and attachment from unknown sources, especially zip or rar archive files.
- Don’t open attachments from an unknown sender.
- Maintain up-to-date anti-virus software.
- Use a drive that is backed up to save important files – do not save them to a local machine/PC that is not backed up regularly.
- If you must save files locally, make sure they are backed up somewhere and regularly.
- Keep your PC and software up-to-date.
Some handy articles on security best practices:
- Cybersecurity Insurance Evolving to Protect Businesses From Increasing Threats
- Cyber Security is Changing: How to Build a Secure Hedge Fund
- Hedge Fund Cybersecurity: Preparing Your Firm For an Intrusion