As with anything in technology, it is only a matter of time until a newer, faster version is available. Unfortunately, this is not always for the betterment of all. Earlier this year a new ransomware virus, called Cryptolocker, began infecting computers owned by individuals and businesses alike. Cryptolocker is a Trojan horse malware program that targets computers running Windows. It primarily comes from email, but can also be passed on through any type of file transfer and, when activated, encrypts files using RSA cryptography. A Cryptolocker ransomware attack could be devastating if a company is not properly protected.
The nature of ransomware
Ransomware is any software that intends to harm or deny access to data, files or a computer until payment is made to the criminals who infected the device. How does ransomware do its dirty work? Usually an individual will receive an email with an executable attachment. Once the email attachment is opened, the virus is downloaded, thereby infecting the device.
According to reports on those who admit to having paid the ransom, less than half say they received a decryption key after payment.
Cryptolocker targets some of the most important files on a PC: things like pictures, documents, movies, music files, etc. It also attacks files found on networked or attached-storage media, including cloud-based storage. In this manner, the virus acts very much like other viruses. But that's where the similarities end.
Cryptolocker encrypts files on local and mounted network drives using a unique RSA public-key cryptograph generated for each computer. The private key needed to decrypt those files is held by the originators of the malware and is only available if $300 is paid to them within a 72-hour time period displayed on the screen. While $300 may seem a small amount for accessing files pertinent to the success of a customer's business, remember that the people receiving that money are criminals. And, according to reports on those who admit to having paid the ransom, less than half say they received a decryption key after payment.
Even if a victim decides to take the chance on paying the ransom, a bigger problem develops with trying to pay it within the 72-hour time frame. A victim cannot simply offer to pay the ransom using a credit card or PayPal account. The ransom can only be paid using MoneyPak or Bitcoin.
What are MoneyPak and Bitcoin?
When discussing the two forms of payment that Cryptolocker accepts, MoneyPak is easier to explain. MoneyPak cards can be purchased at some major retailers, just like gift cards. Purchasing a card requires no personal information, and once the money is loaded onto the card, the money is instantly available to use. MoneyPak purchases require no bank accounts either, which leaves them virtually untraceable.
Bitcoins, on the other hand, are a form of currency used in digital media. It is virtually untraceable, and much like any foreign currency, the daily value of a Bitcoin varies. The amount of Bitcoin that someone purchases today for $300 will vary greatly next week in value. As a result of the volatility of the exchange rates for Bitcoin, the ransom price fluctuates in that currency. This also makes it difficult to assess exactly how much money Cryptolocker has made since its inception.
An ounce of prevention
Cryptolocker has been assessed as a serious risk because it seems to target small and medium-size businesses (SMBs). SMBs as a target is problematic because there are more of them than large companies in the marketplace; they are less likely to have adequate network security, and they're more likely to pay the ransom to gain access to files.
Cryptolocker messages appear to have been sent to tens of millions of people. Many of the attachments appear important, such as voicemail messages or invoices. As a result, intelligent people open the attachments and fall prey to the ransomware.
As with any virus or ransomware, protection via preventive action is the first line of defense. First, make sure your client's email service provides the best in spam and antivirus filtering to prevent the virus from ever reaching end users. All PCs should use an up-to-date commercial antivirus and anti-malware application. Cryptolocker ransomware prevention also includes communicating information about the malware to users so that they know not to open any unexpected email attachments. Finally, the only infallible way to recover from Cryptolocker is provided by the most critical component of the IT infrastructure: an adequate and fully functional backup. The backup process should be tested routinely to ensure the backup copies are usable in the event they may be needed. If a user is infected with Cryptolocker, being able to quickly restore files is the most effective way to recover from the attack.
The future of Cryptolocker
Some researchers estimate that the criminals behind Cryptolocker have made hundreds of millions of dollars. In fact, this ransomware virus has been so successful that Cryptolocker 2.0 has appeared. While it mimics the operations of the first version, there are some variances.
The emergence of Cryptolocker 2.0 makes it painfully obvious that other criminals are in the wings waiting to make money off the success of a piece of malware. This is nothing new and there will always be those who want to pilfer money illegally. The security measures for any new versions of ransomware are the same as outlined for the original Cryptolocker ransomware. A copycat version only highlights how imperative it is to have an effective backup routine in place. That, coupled with properly educating customers about intelligent email practices, will prove priceless to any business.
Justin Lenkey is founder and managing partner of Argyle IT Solutions and a member of The ASCII Group.
This was first published in December 2013