Protecting your data from Ransomware: Cryptolocker and Locky

In Internet, Security by Patrick McHugh

Ransomware

As an IT service provider, there is no more chilling phone call from a client as “The accounting system is broke and we cannot open our Microsoft Office files either.” A quick login and file check stumbles upon some of the worst evidence of a ransomware attack as you could ever find. Most of the critical files in the shared folders and accounting system seemed scrambled.

The technical term is encrypted, and if the computer/user that did this has a lot of security rights, this may affect almost every file the company uses. This is produced by a relatively new form of malware called ‘ransomware’. While these attacks have a history going back to the 1989 PC Cyborg, it was unknown until recent times.

Ransomware to be keep an eye out for.

Cryptolocker

One of the earliest and most pervasive version of this malware was called Cryptolocker. The malware spread through email. The unsuspecting recipient opened the email and the bad stuff started happening. All data on the user’s personal computer and harddrive was suddenly encrypted and, by the way, mapped-drives (network shares on a Windows server) were not discriminated. A message appears on the screen that pretty much explains how “we put your files in a safe place, and if you pay us money, we will return them to you.” In other words, your data is held hostage on your own computer (or server in the case of mapped drives.) And oftentimes, other malware and trojan-ware were invited into the originally infected machine. Eventually, the purveyor of this havoc was caught and it easily became possible to decrypt these files. Often times paying the ransom did not guarantee satisfaction.

Cryptowall

The next iteration or pervasive ransomware was/is called Cryptowall. This particular variant was even worse, as it disguised itself as “good” software, was much more difficult to detect, and most importantly, could be contracted by casual web browsing of infected websites. The ransomware also stole data as well as encrypting the user’s files. The requirement was that the victim had to pay in bitcoin, and these (so-called) honest crooks actually turned over the necessary key to decrypt the hostage files. While most anti-malware software has become adept at finding these infections, the damage is usually already done.

Locky

The newest and most pervasive troublemaker goes by the name “Locky.” For IT professional it is worse than the ransomware above. The major distinction is that this variant will search the network for ANY share on ANY machine and proceed to lock up (encrypt) files. This variant spreads through email, which is often crafted to look like it came from a legitimate email sender. Rumors on the internet claim that the bad guys are looking for more ingenious ways to deliver this very effective malware attack. As above, the files can be unlocked if one pays the bad guys in bitcoin. Try doing a quick search on the internet to find a few examples where large organizations actually paid the ransom.

So how do you combat this pesky type of malware? The easy answer is do nothing, -IF- you are absolutely sure you have very good and reliable data backups, or are prepared to try and pay the ransom. The user’s offending computer that that started the encryption should be cleaned at worst and reformatted and completely reinstalled at best.

I have faced a couple of variants of this malware several times. I can report that restoring the data from backups worked perfectly in all cases. There was still a loss of resources, and in one particular case, the customer’s last backup was Sunday evening and the infected email was opened on late afternoon Monday. The Locky attack and spread of infection wasn’t discovered until Tuesday morning, so we had to restore data from Sunday evening’s backup. The most recent “Locky” attack I encountered at a customer wasn’t quite as bad because the infected computer was turned off just after it was discovered, so the spread of encrypted files across the network shared folders was contained and greatly minimized.

Protecting your business

The only real cure for this malware is prevention. It is obligatory for IT staffers to constantly alert –and- educate our customers, users, friends and family to these types of attacks. Steve Gibson of GRC.COM likes to call this “be-on-guard” or TNO-Trust No One. That is, always be suspect of emails you receive. Most of the IT people I know and their immediate circle of influence, are pretty good at following safe email and computing practices. Sometimes we forget that there are a large number of people out there that are susceptible to ever changing socially engineered email attacks. It is these folks that need to be aware and educated so that they have a constant sense of vigilance.

You can find more information about these attacks at these links:

https://www.us-cert.gov/ncas/tips/ST04-014

http://www.symantec.com/connect/articles/social-engineering-fundamentals-part-i-hacker-tactics

https://en.wikipedia.org/wiki/Ransomware

… or go to your favorite search engine and look for “socially engineered email attacks”.

 

About the Author
Patrick McHugh

Patrick McHugh

Patrick is a Network Engineer at Source One Technology and has been providing IT consulting services to schools, nonprofits and SMBs in Waukesha, Milwaukee and SE Wisconsin for over 25 years.