IT best practice for mitigating the growing risk of Ransomware

Unlike previous Ransomware programs Cryptolocker uses strong third party certified cryptography by Microsoft called CryptoAPI.  By using this best practice approach to encryption the authors of Cryptolocker have successfully created a Ransomware program that is virtually impossible to circumvent.
Cryptolocker initially targeted business users via an e-mail pretending to be customer support related from the likes of Fedex and UPS etc.  The e-mail contains an attachment disguised as a PDF file.  When the file is opened the program is instantly launched and the computer infected.  The program then proceeds to encrypt all files that are accessible through mapped drives on your computer.  In other words not only will it encrypt files on your local hard drive, if you are connected to a local area network and have mapped network drives it will also encrypt your company files stored on the server.

What do you do if you become infected?

If you are unfortunate enough to become infected by Cryptolocker or any other malware program come to that the first thing to do is to disconnect yourself from your local area network to prevent the program from spreading to your server.  You then realistically have two options; pay the ransom, in which case your files will be un-encrypted (reports indicate they were Cryptolocker) within about 3-4 hours, or remove the infection and restore your files from a backup.   Attempts to remove the program will result in the program deleting the encryption key.

By November 2013 solutions and services were available to help prevent infection and also to un-encrypt data after the 72 hour ransom period had expired, 3^rd party recovery solutions however are expensive and cost more than the ransom fee itself.

In December several variants of yet another Ransomware program, trying to emulate Cryptolockers success, started to infect computers demanding a $150 ransom.  Whilst flaws in locker make it easier to defeat, infection is still a costly affair.

Given its success it’s more than likely Cryptolocker spells the beginning of an entire new generation of more sophisticated Ransomware programs.  It therefore has never been more important to follow best practices to ensure that your data is suitably backed and to take steps to prevent infection occurring in the first place.

Prevention

Backup, Backup, Backup!

Probably the most important thing in terms of managing the risk of infection is to have a good backup solution with a suitable retention policy.  It’s no good backing up to the same media each night.  Due to the risk of overwriting a good backup with infected data you need a good retention policy.

Below are our suggested preventative best practices:

If you are interested in further information on Malware prevention products or services please just drop me a line and I will be pleased to have a chat.

• The most important thing is to think twice before opening any attachments.  Never open attachments from unknown sources, if in any doubt whatsoever get the e-mail checked out with your IT department before opening it.
• Centrally block executable files i.e. .exe files from reaching your users inboxes.  This can be achieved in a number of ways; you may already have the capability to do it on your firewall or with your spam filtering solution.
• Purchase an Anti- Malware solution such as Hitman pro which will protect your computer from Malware threats.
• Implement the built in software protection policies which are built into Windows to manage the programs that are authorised to run on your computer/computers.
• Deploy web filtering to manage the websites that users can access.  This wouldn’t have prevented the Cryptolocker program but it would have prevented the Locker Trojan.

If you are interested in further information on Malware prevention products or services please just drop me a line and I will be pleased to have a chat