Cryptolocker ransomware first appeared on the scene on September 5, 2013, and remained in the spotlight until the end of May 2014.
As with most of the forms of ransomware, Cryptolocker targets Windows-based systems and arrives via a malicious email attachment. It uses an encrypted peer-to-peer communication system, called Gameover Zeus, to communicate between the infected device and a Command & Control (C&C) server.
It’s worth noting that the Gameover ZeuS botnet was taken down by Operation Tovar towards the end of May 2014. It is estimated that CryptoLocker successfully extorted around $3 million in total from its victims.
How Does Cryptolocker Ransomware Work?
Cryptolocker encrypts files using RSA public-key cryptography, and ransoms are paid in either bitcoin or a pre-paid cash voucher. The attackers threaten to delete the decryption key if the victim fails to pay the ransom before the stated deadline.
However, the victim will still have the option to pay the ransom using an online service, although they will have to pay a significantly higher amount if they choose to go down this route. As always, even if the victim chooses to pay the ransom, there’s no guarantee that the attackers will deliver on their promise to provide them with the decryption key.
What to Do If You Have Been Infected by Cryptolocker Ransomware
If your organization has already been infected by Cryptolocker ransomware, you should immediately disconnect your device from all networks, and consider turning off your Wi-Fi. Before doing anything else, it would be a good idea to reset all credentials, and then see if you can restore a previous version of your files using the “Shadow Copies” feature in Group Policy.
Failing that, you will need to securely wipe the infected device(s) and reinstall the OS. You will then need to re-connect your device to the network in order to install the necessary updates/patches, such as those associated with your OS and AV software. Once you have restored your data from a backup, you should also run security scans to determine whether the infection still remains.
How to Protect Yourself Against Cryptolocker Ransomware
These days, many strains of ransomware are able to evade detection from antivirus solutions. Some sophisticated solutions may be able to identify a ransomware attack, but only when it is too late and the encryption process has started. As such, you should have technologies in place that can act quickly to stop the attack in its tracks. Below are some of the key points to consider when establishing a defense against Cryptolocker Ransomware:
Security awareness training: Since Cryptolocker is primarily propagated via email attachments, it is imperative that employees are properly trained to identify malicious emails, which include emails asking for sensitive information, emails where the sender’s email address doesn’t match the advertised domain, emails with poor spelling and grammar, and emails that contain words that create a sense of urgency.
Secure backups: All files, including documents, spreadsheets, and images, must be securely backed up and tested to ensure that they can be recovered in a fast and efficient manner.
Patches and updates: Make sure that your operating system, firewall, and anti-virus solution have the latest updates/patches installed. Consider using an automated, centralized patch management solution to streamline the process.
Use Software Restriction Policies: Within Group Policy you can set up Software Restriction Policies that can help to prevent and control the execution of specific applications. For example, you can block executable files from being launched by certain users, and on certain devices/servers.
Implement robust access controls: Firstly, make sure that you have a strong password policy in place, and use multi-factor authentication whenever possible. When assigning access controls, you must strictly adhere to the Principle of Least Privilege (PoLP), to ensure that users are granted the least privileges they need to perform their role. Likewise, you should also use the Just-In-Time (JIT) access control methodology to ensure that access to sensitive data is granted and revoked on a time-limited basis.
Use network segmentation: Segmenting your network, and asking all entities to authenticate themselves each time they need access to a given resource, will help to prevent a ransomware attack move laterally throughout the network.
Use a sophisticated Intrusion Prevent System (IPS): In addition to properly configuring your firewall, you should also leverage technologies that give you more insight into suspicious inbound and outbound network traffic. For example, if the ransomware application is communicating with a Command & Control server, this should be picked up by an advanced IPS solution, which should in turn block the communication channel.
Monitor for suspicious file & folder activity: Naturally, one of the tell-tale signs of a ransomware attack is when a large number of files and folders are either copied or encrypted within a short time frame. Most sophisticated real-time file auditing solutions enable you to set up threshold conditions, which, when met, will trigger the execution of a custom script that might disable a user account, stop a specific process, change the firewall settings, or shut down the affected server.