As an IT Managed Services Provider, Next Dimension is constantly keeping monitoring our client’s systems, and we’ve seen a resurgence of the Cryptolocker family of malware lately.
This family of malware silently encrypts your business’s digital data, rendering your files useless to you unless you pay up or can recover from Backup or DR Systems.
How does it work?
In a nutshell, a typical Cryptolocker attack follows five key steps:
Infection
Whether by malicious web content, or more generally through an email attachment, or even infected media such as a USB stick, the Cryptolocker software silently installs on a client computer.
Defensive Tools: Endpoint/Server Security, Web and Email Filter, User Education.
“Phone-Home”
The nefarious software silently checks in with a Command and Control center to receive current ‘instructions’ and register itself.
Defensive Tools: Stateful Network Inspection (“Next-Gen” Firewall or equivalent), Firewall Rules, Block known bad IP ranges.
Synchronization and Crypto Key Generation
Now that the rogue agent software is in your systems, it generates cryptographic keys – one stored on your system, the other with the command and control center. Without both keys, decryption of your data is essentially impossible.
Defensive Tools: Endpoint/Server Security, Process Monitoring, File-level monitoring.
Encryption of your Data
When the keys are generated and exchanged, the malware quietly begins encrypting your files – almost any type of file is susceptible – without any outward sign of activity. These files – Excel files, Word files, JPGs, your critical business data – become useless to you.
Defensive Tools: Endpoint/Server Security, Process Monitoring, File-level monitoring.
Notification / Extortion
After a programmed period of time, or amount of data encrypted, the malware will deliver a pop-up prompt notifying you of the infection and demanding payment (always digital, usually via BitCoin) as ‘ransom’ to decrypt your files. There is no known alternative to decrypt the files once they’ve been scrambled, short of restoring from backup.
Defensive Tools: Backup / Restore / DR Strategy, Payment.
Next Dimension has helped many clients in their recovery from a Cryptolocker attack, and we’re also experts on laying down the multiple layers of defense that can help to keep Cryptolocker and other infections at bay. With the right preparation, getting back up and running can be a minor inconvenience resolved by a restore from backup and some infection cleanup, rather than a costly business interruption. The key is early preparation.
Common Infection Vectors
For all the damage it causes, Cryptolocker follows some fairly typical routes to make its way into your systems. The most common attack path is via email attachment, often with double extensions (i.e. Filename.PDF.EXE) which may fool some users.
Risk Reduction / Remediation Strategies
Following are some guidelines on ways we can assist you to lock down your network and systems.
User Education
The primary course of action to protect against Cryptolocker and other threats is also the most effective one. The best bang-for-your-buck return of any security effort comes from educating your users about suspicious email messages, avoiding attachments where not 100% sure of origin, and involving helpdesk / IT resources early and often. Such communication needs to happen regularly, to keep users aware of typical threats that are circulating.
That communication should work both ways – your users need to know who to contact when they have IT questions. So often, we measure IT Support efficiency by minimizing support tickets, but isn’t it worth it to spend 5 minutes with an end user to avoid a potential costly, prolonged business interruption?
Block attachments in email
While it may not be practical for all businesses, an email attachment can’t attack your business if it doesn’t arrive in a user’s mailbox. With most modern email platforms, it’s easy to configure the mail servers to drop attachments entirely. Consider an alternate method of file delivery, if necessary: cloud-synced file repositories, web-based file exchange systems, etc.
Backups
On a long enough time frame, every business suffers a catastrophe. What will you do to recover? A regularly reviewed, tested and redundant backup is the insurance policy to provide your business the continuity it needs to weather the storm. Have a plan in place for file-level restores as well as organizational reconstruction (“bare-metal” recovery). Recovery Point Objectives (RPOs) for your backups must be sufficiently long for your backups to extend back far enough to restore unencrypted files – your system may continue happily backing up encrypted data with you none the wiser.
We’ve assisted many businesses with Cryptolocker recovery, and a proper backup is the only alternative to ransom payments to get your files back. The right backup strategy should be application-aware, block-level, with an off-site copy of the data
Web filter, Email Filter
Whether it be a physical appliance in your environment, a virtual appliance on your hypervisor, or a cloud-based service, you have a wealth of options to scan Web and Email traffic in real time. The best solutions will continually update on known bad IP addresses, attachment types, virus definitions, etc.
Double Filtering
While any filtering is better than none, no system will catch 100% of security threats – particularly in this time of “0-day” threats, where security vendors and criminal actors are caught in a back and forth race trying to defeat each other’s newest tech. For this reason, it can make sense to deploy multiple inline filters, to maximize your chances of catching any particular malware.
Multiple file servers (Restrictive File Security)
Containerizing (or ‘silo-ing’) your business data and strictly controlling who has access to it can help to mitigate the spread of Cryptolocker or similar malware. Consider reviewing your users, groups, and security policies and potentially even segregating data between file servers.
Archiving
It may make sense (for completed projects, or past years’ data) to take data offline. If you’re keeping gigabytes of old projects or financials around just to have them, consider moving them to offline storage or cloud storage – they’ll still be accessible, but safe from issues that may threaten your primary storage.
Hot Standby
In any disaster, you want your business to be fully functioning again as soon as possible. Next Dimension can show you how to take your Backup strategy to the next level, leveraging Hot Standby servers that are ready to swap in for compromised servers. Reduce your RTO (Recovery Time Objective) significantly by immediately restoring data to a swapped-in Hot Standby server, rather than a complete rebuild.
Remember the 4 Qs
Quick – An security event can go from 0-60 very quickly. Your IT staff (or better, automated systems) need to be vigilant and ready to respond quickly. Have response processes laid out before they’re needed – you want to know how to use the fire hose *before* the building’s on fire, as they say.
Quiet – Cryptolocker (and many other malware actors) can fly under the radar until it’s too late. Set up automated processes to review event logs, file system changes, unexpected processes, or other key indicators of a compromise. Keep your staff educated – and not just the IT staff.
Quarantine – Respond immediately to the issue – protect remaining unencrypted data, start planning backup/restore processes, and determine the extent of the compromise – how many client computers, how many network shares, etc. Mapped network drives (i.e. “H:” for \\COMPANY\Data) are a favourite target for the Crypto family.
Quash – Root out the malware processes, clean infected client computers, stand up new servers where necessary, and restore data from backup. Perhaps more importantly, learn and improve security processes to keep yourself safe in the future.