I ended the year talking about the Sirefef Trojan/botnet that I has caused many problems including e-mail blacklisting at a few of our clients last year. To start off the new year I thought it would be fitting to talk about one of the most costly viruses of 2013, that is still a major threat today: Cryptolocker.
Cryptolocker is a more complex version of ‘ransomware’, which locks the PC and demands a ranson. Typical ransomware is usually not very troublesome for Small Businesses who store critical files on a server. In these cases the infected PC can be wiped and reinstalled from scratch with minimal data loss.
However Cryptolocker encrypts important files on the infected PC AND all attached network drives. The user then sees the screen pictured at left, demanding money for the decryption key. This is a huge threat to anyone who doesn’t have a Cloud-based or offsite backup strategy.
The Cryptolocker virus encrypts all files on the infected PC along with any network files to which the infected computer has access. Once encrypted it is impossible to regain access to these files without paying the ransom for the decryption key. Paying money to hijackers and thieves is never a good idea, so in most cases it’s best to restore your files from the last backup once you isolate the infected computer. The only downside to this method is that it relies entirely on the robustness of your backup and recovery strategy. If your backups are stored locally or on the network, there is a good chance they will also be encrypted by the virus.
The Cryptolocker virus is typically spread via an infected e-mail attachment that the user opens. It then copies itself into the user’s application data folder, and executes. One way to protect yourself from e-mail attachment viruses like this is to use the Software Restrictions feature of Group policy to block .exe files from executing from the Application Data folder and all Temp folders.
Tools like Malwarebytes will detect and remove the Cryptolocker virus, but cannot restore the encrypted files. In fact this virus is one of the biggest reasons that Small Businesses today should make use of Cloud Services.
To illustrate how dangerous this virus can be: one business in Australia was shut down for five days with staff sent home on leave. Every network share’s business data was encrypted (over 64,000 files) after a staff member clicked on an attachment despite telltale suspicious signs. Neither their firewall failed nor their antivirus software detected the virus — which is not unheard of, due to savvy virus writers who constantly update their malware to bypass the latest detection software. (In my previous article I stated a number of methods to protect yourself from most of the dangerous viruses that exist today.)
Those are all good methods to protect yourself from Cryptolocker, but because this virus is so devastating there are a few additional steps you can take to protect your network. The infection is typically spread via an infected e-mail attachment that the user opens, it then typically copies itself into the users application data folder and executes. One of the best ways to protect yourself from this and many other e-mail attachment viruses is to use the Software Restrictions feature of Group policy to block .exe files from executing from the Application Data folder and all Temp folders.
The Australian business’ server had made room for the latest revised data by deleting all the old backups. “The receptionist could not wait for the backup to complete on the last known backup date, and pulled out the USB drive early.” This forced the IT fixers to restore from an older backup, losing many proposals and quotes. The system was recovered “but at great expense and emotional cost”.
In the event that you have taken all precautions and your network gets infected anyway, it is important to ensure you have a reliable backup process that not only runs often (hourly is best) but also synchronizes its data with an offsite or cloud location and keeps a revision history. If you have good a good backup strategy in place, recovering from a Cryptolocker infection is quick and easy.
Recap of steps to ensure Cryptolocker doesn’t cripple you:
1.) Use a multi-tier network security structure as discussed here.
2.) Put Group policies in place to keep downloaded attachments from executing.
2.) Have a good Cloud-based or offsite backup strategy to restore from.
3.) Make sure whatever backup system you have in place is regularly monitored.
4.) Have your backups regularly tested to make sure you can restore form them in case of an emergency.
Please fill out the following form to contact us for further help on how to protect yourself with Group Policy, or recover from this latest malware threat.
[contact-form-7 id=”6092″ title=”Contact form 1″]