Don’t Pay the Ransom: How to Prevent or Recover from CryptoLocker Attack

| | Technology & Integration

Todds Cryptolocker Article Graphic v3

When I first conceived of this article, I was going to rant about the ridiculousness of encryption at rest in a data center. After all, encryption at rest is primarily a method of protecting your data after physical theft of the hard drive. It makes sense to have your laptop or desktop computer encrypted, but the storage drives in your data center? There, physical access is controlled via multiple security stations and access checks, so many IT professionals will tell you that data center encryption is not worth the resources.

Then CryptoLocker became a focus in security encryption. A week seldom passes without an article published about this danger. It’s been around since late 2013, but only recently become a topic of conversation for non-IT management, due to the number of high-profile cases that have been published this year. CryptoLocker is, at its core, social exploitation malware. It tricks people into doing something that installs the malware on your local computer. Once there, it uses your own network security to start accessing (and infecting) other computers that you’re connected to. And then, it starts encrypting (at rest) every piece of data it can get access to.

Once everything is encrypted, CryptoLocker sits dormant for a variable amount of time, giving you a false sense of security. Then it pulls the rug out from under you by removing its encryption keys, requiring you to know the keys in order to access your data, and at the same time, displaying a ransom message. The ransom amount varies, and paying it will usually result in getting your data back. After all, the hackers want future victims to pay, too.

But consider this: So much money has been paid to hackers in this scam that they have little incentive to stop. Some hackers are likely making enough money to quit their day jobs and spend all their time cultivating and improving this virus. And we’re paying them to do it. It’s like setting up a trust fund for the burglar that robbed your house, so they can spend more time robbing other people’s houses.

What can you do about CryptoLocker?

  • Encrypt your sensitive data with whatever built-in encryption your machines have. Most CryptoLocker versions rely on the built-in disk encryption engine built into your computer’s operating system (or database system). By pre-encrypting data with it, the CryptoLocker virus has to know what your previous password key is in order to take over. It won’t know that, so you’ve stopped it before it can do any damage. This doesn’t block those variants that install their own encryption driver, though. So take these precautions:
  • Make sure all your users’ regular login accounts are low security. Many computer users like to be administrators of their own machines, but this is a huge security risk, especially when that user is the CEO (or CIO/CTO) and has high-level access to sensitive data or systems. Having everyone (and I mean everyone) use a low-security login to the machine they work on prevents the virus from installing extra drivers or tools.
  • Educate your employees about social engineering and malware. Teach them how to avoid it. This may be the most important item in this list. All it takes is one ill-advised user click to start an attack on your entire enterprise. Regular security awareness training is your best defense.
  • Create and maintain a robust backup plan. Make sure you take backups often, retain them as long as you can, and store them offsite using a transport that doesn’t allow access without a username and password (this will also prevent CrytoLocker from getting to your backups).
  • If you do get hit by CryptoLocker, DON’T PAY. Shut your network off from the outside world, clean your servers, restore your most recent uninfected data, and then bring your systems back up. Find out how you got infected, and take steps to eliminate that vulnerability. This usually means you have to cut off all user PCs and laptops from the network, find the infected ones, and clean them – then educate your users on how to avoid it in the future.

Todd Davis

Todd Davis, Vice President of IT – ReviewStat Services for UniMed Direct, is responsible for the continued development the industry-leading ReviewStat system. Leading a team of like-minded professionals, Todd works to review and improve ReviewStat’s full-featured and robust system to make it even more efficient and easy to use.