How to Protect Yourself From CryptoLocker Extortion
In an age of increasing cybersecurity threats, it is of the utmost importance for SMEs - as well as large companies - to be fully aware of all Information Technology (IT) cyber-threats that may result in a costly data breach. While the occurrence of malicious data breaches has increased, and different forms of both active and passive security attack vectors and zero-days are on the rise, one of the most damaging and increasingly significant forms of malware is ransomware. Malware (malicious-software) is classified as a software-based threat (program) that is deployed as a payload against a system that contains a vulnerability. Typically, malware is divided into four categories:
- Virus: A virus is a malicious program or application that is deployed onto a system - typically spreading via a network or email-related social engineering attacks - requiring a user to both spread and execute in order for the malicious activity to be accomplished.
- Worm: A worm is one of the most powerful and malicious forms of malware in that worms do not require human actions to spread or execute. Essentially, a worm can operate as a self-propagating, self-executing program that can remain undetected for some time, while it carries out its malicious activities.
- Trojan: A Trojan is a program that appears harmless, but in the background operates in a malicious manner, such as by recording keystrokes (keylogger), setting up a proxy and sending data to a remote server, or encrypting files forcefully (i.e. ransomware). To that end, Trojans are often voluntarily downloaded and executed by victims due to the seemingly innocuous nature of the application.
- Spyware: Spyware applications are malicious programs that spy on a user’s actions, and can record private data and send it to a remote server.
Ransomware is a class within malware that can encompass any of the above vectors in order to be executed on a system, though ransomware is often deployed as a Trojan. By definition, ransomware is a type of malware that is deployed typically with the intent of locking a victim’s IT systems, thus making their private and important data inaccessible, resulting in the malicious cyber criminal demanding a ransom in order to restore access to the system. Ransomware can be as simple as a malicious program that locks a system forcefully, or as complex as a malware application that utilizes complicated cryptoviral extortion methodologies, where the data systems in question are encrypted and ransom is demanded in order for the system to be restored. While most ransomware applications will utilize a strong symmetric block cipher, such as AES-256, some use AES with public-key cryptography (similar to RSA) or just use RSA. Due to the incredible amount of possible decryption keys (2^256), it is not practical to brute force such an encryption system, and thus enterprises are often left with no choice but to pay a ransom, which is often via an untraceable cryptocurrency such as Bitcoin. Unfortunately, from 2012 until today ransomware has increased greatly, with a specific focus on extorting businesses via the utilization of CryptoLocker-family ransomware infections.
What is CryptoLocker? Is it the Same as Ransomware?
Ransomware is an umbrella term that encompasses a number of different malware-based programs that are typically used to lock a victim’s system, resulting in a ransom being demanded. As noted above, ransomware can be utilized via a number of malware vectors (viruses, worms, Trojans, spyware, etc.) and can use a number of different encryption protocols. CryptoLocker is a specific type or family of ransomware programs - typically using a Trojan and utilizing RSA (or AES with RSA) for encryption (public-key cryptography) - and has been historically one of the most successful ransomware attack vehicles. Additionally, CryptoLocker - as a family of ransomware - often entails any type of ransomware based on the original Cryptolocker Trojan whose business model is based on extorting money from users via forceful data-system encryption.
The significance of ransomware should not be underestimated. Cryptolocker alone, when it was deployed in 2013-2014, procured an estimated $3,000,000 before it was taken down, while the recent crypto worms, WannaCry and Petya malware programs, extorted over $4 billion and over $300 million in 2017 and 2016 respectively. It is also important to note that, with regard to the latter (Petya ransomware), it is possible to utilize such a program for ulterior motives, as researchers indicate that the Petya ransomware was actually designed not to make money, but to operate as a clear-cut cyberattack. Even though security inroads have been made against them, research shows that as of 2016-2017 ransomware has seen a record high. As noted by Barkly’s Jonathan Crowe, specifically 2017 saw some of the largest outbreaks of ransomware, resulting in six in every ten malicious payloads being ransomware in the first quarter of 2017. Additionally, in 2016, ransomware attacks on businesses tripled. According to researchers of the popular anti-malware application, Malwarebytes, approximately 60 percent of all malware applications were ransomware in 2017. Also, according to cybersecurity researching firm Cybersecurity Ventures, ransomware damage costs could accumulate up to - and exceed - $5 billion in 2017 alone.
To that end, it is important for businesses to employ up-to-date security best practices, and to utilize trained malware analysts - along with utilizing threat modeling and enterprise anti-malware suites - in order to protect themselves from the increasingly dangerous threat that is ransomware - especially the CryptoLocker family of ransomware. Additionally, new cybersecurity compliance mandates are being put in place to ensure that companies execute due diligence to ensure complete data security of their customers’ private data.
How Does a Cryptolocker Work?
Ransomware, as a class of malware, is usually a Trojan that infects Windows systems via a network. However, it is important to note that there are a wide variety of methods by which ransomware can spread and/or execute. As stated, ransomware often uses undetectable worms that spread through a network without any human intervention, while malicious users can even utilize zombies of a BotNet in order to deliver mass-spam emails with the malicious payload, such as the case with the Necurs botnet and the Locky ransomware of 2016. Later, in 2017, Necurs was used to deploy the Dridex Trojan, which took advantage of a Microsoft Word zero-day vulnerability. Thus, as can be seen, there are many attack surfaces that must be analyzed and covered, and many possible vulnerabilities that can plausibly be exploited by different types of ransomware.
CryptoLocker, as in the ransomware attack of 2013 and after, utilized a botnet (the Gameover Zeus BotNet) in order to spread the malware via infected email attachments, and operated as a Trojan to infect Microsoft Windows computers. The malware then encrypts the data system with an AES-256 bit key, and uses an asymmetric, RSA-based public-key cryptosystem for communication and the securing of the key, in which it then displays a message demanding payment via Bitcoin. Cryptolocker, specifically, offered decryption if payment was made, and also threatened to delete the private data if the payment was not made by a deadline. Of course, as with all malware, there is never a guarantee that the data will be decrypted and/or released to the owner if payment is made.
Additionally, the original CryptoLocker spawned clones, such as CryptoWall, Crypt0L0cker, TorrentLocker, etc., and created a family of data-encrypting ransomware that continues to grow in number and magnitude.
CryptoWall, for instance, operated similarly to CryptoLocker in that the malware (Trojan) was propagated via spam email, and through watering-hole attacks and malicious payloads across the web. At the same time, TorrentLocker operated as a Trojan ransomware spreading primarily through email, and, according to researchers, generated an AES-256 bit key, which was encrypted via a 2048-bit public key (RSA), resulting in certain files (with certain extensions) being encrypted via the AES key. Throughout the process, the ransomware communicates via a network with its command-and-control (C&C) server.
CryptoLocker utilized many varieties of social engineering in order to trick victims into running the ransomware Trojan on their systems. Social engineering is the use of psychological manipulation methodologies in order to get victims to perform an action that typically allows a malicious person to either execute a malicious program, exploit and penetrate a system, or gain valuable information for malicious purposes. Since the weakest link of any IT system is the personnel that use the IT resources, social engineering is said to be the most powerful form of hacking, though it is entirely avoidable.
Once the malicious user has tricked the victim into downloading and/or executing the malicious file, the ransomware (trojan) generates a random symmetric (AES-256) key for each file it encrypts, and encrypts the file’s content with the AES algorithm, using that key. Typically, the key is encrypted with a 2048-RSA encryption algorithm as well. Once the files are encrypted, it is virtually impossible to brute-force the cryptosystem in order to decrypt the files, which is why ransomware applications are such powerful - and dangerous - malware programs.
When the Trojan finishes encrypting every file that meets the aforementioned conditions, it displays a message asking the user to make a ransom payment - typically with a time limit to send the payment. Usually, a type of untraceable payment system is utilized, such as BitCoin or another type of cryptocurrency. If the deadline is not met, then the private key kept by the malware writer is destroyed, the data is revealed to the public, or the private data is deleted.
How You Can Prevent a CryptoLocker?
There are several ways that an enterprise can prevent a CryptoLocker-based ransomware program from infecting their systems. While utilizing threat modeling and employing the services of malware analysts are standard practices, other best practices - such as utilizing enterprise anti-malware suites - are equally important. Additionally, as noted by WeLiveSecurity, there are a number of other practices that can be used to defend against ransomware, such as backing up private data regularly, filtering executables in emails, patching business systems regularly, and securing enterprise cloud systems. Also of note is that CryptoLocker usually executes from the App Data or Local App Data folders, thus it is possible to disable file execution from those folders. Using the CryptoLocker Prevention Kit is also a viable solution to aid businesses in remaining protected from such ransomware. Regarding enterprise cloud security, it is important to note that even cloud drives that are mapped locally can be encrypted via ransomware.
Be Wary of Emails
CryptoLocker-based ransomware attacks are typically spread via email as infected attachments. Since the trojan payload requires user interaction, it is important for all personnel to be very cautious when opening email attachments, and to only open attachments from trusted persons. Additionally, security scanners can be deployed to scan emails for malicious payloads and/or malware programs.
Backup Your Data
Since ransomware relies on the innate ability to essentially lock users out of their own systems - and often threatens to delete such sensitive data - one of the most significant defenses against ransomware is the regular backing up of all sensitive, enterprise data. Thus, if a ransomware infection encrypts sensitive business data, the backups will exist in order to nullify the effects of the ransomware, allowing the enterprise to refuse ransom payment.
At the same time, it is important to note that some ransomware authors demand payment with the threat of revealing sensitive, encrypted data to the public. Though rare, in that circumstance, backing up data does not prevent or cure the problem, while adopting best practices to prevent the initial infection does.
Show Hidden File-Extensions
CryptoLocker/ransomware programs often arrive with clearly-suspicious file extensions, such as .PDF.EXE. Allowing Windows (or whatever Operating System is being used) to view and show hidden file-extensions is key in allowing personnel to have the ability to spot suspicious files that may be ransomware.
Disable Files Running From AppData/LocalAppData Folders
CryptoLocker usually executes from the AppData or LocalAppData Windows folders, so disabling the ability for files to run from those folders can stop the deadly ransomware in its tracks.
Ransomware often spreads through networks via the Remote Desktop Protocol (RDP), which is a protocol that allows personnel (typically system admins) to access enterprise systems remotely. When malicious users use port scanners and see an open RDP port, they may try to deploy a ransomware payload to an enterprise's systems remotely via RDP. Disabling RDP - if it is feasible for a business to do so- can stop such a malware attack from occurring.
Limit End User Access to Mapped Drives
Like with RDP, mapped drives allow a user to access a drive on another computer, typically via a network. Such remote access can be used by malicious persons to deploy malware across a network by gaining access to mapped drives, which can be the first step in infecting an entire business network or system.
Employ Content Scanning and Filtering on your Mail Servers
Since most ransomware programs are deployed via email attachment vectors, utilizing scanners and filtering systems on email servers is an important way to defend against CryptoLocker-based ransomware, ensuring that no malicious executables are present in an email (as an attachment or otherwise).
Educate Your Employees
As noted beforehand, the weakest link in any IT system is the user. Since ransomware usually works via social engineering, it is important to educate personnel regarding all of the methodologies and venues for system infection. The more educated personnel are, the less likely an employee will fall for the social engineering tactics that malicious persons employ to ensure that their ransomware applications execute as desired.
Patch Systems Regularly
One of the most important methods of defending against ransomware is patching systems regularly, which helps to close system vulnerabilities that are often exploited by ransomware programs. For instance, both the Petya and WannaCry ransomware programs of 2017 executed via a known exploit patched by Microsoft, while mostly unpatched systems fell victim to the malicious software. Patching is a first-line defense method to prevent ransomware infections on business systems.
Ransomware is a growing threat, and is likely not going away soon. As malicious persons continue to craft more complicated versions of the original CryptoLocker ransomware program, businesses must educate themselves on how to protect their sensitive systems from being infected. While adopting standard security best-practices is key, it is also important to adopt more advanced defense methods, such as using the CryptoLocker Prevention Kit, using email filters/scanners, backing up sensitive business systems frequently, and patching systems regularly. Successfully protecting a business system from ransomware can mean the difference between a costly data-breach or episode of data-loss and saving millions - or even billions - of dollars annually.