Defending against CryptoLocker

CryptoLocker is a sophisticated ransomware program aimed at tricking users into running an embedded exe file that encrypts local AND shared files (mapped network drives) and demands a ransom for a key to unlock them.  Through a very sophisticated approach of social engineering this email has tricked many users into launching the payload.  The malware was released in September, tripled in October, and we are still seeing mutating variations in November.

CrytoLocker is the latest and most damaging Windows Virus in a series of ransomware Trojans.  The most common email subjects have been UPS or FedEx tracking notifications as well as recently being distributed as an Outlook update.

CryptoLocker is not known to have affected any Mac or Linux based systems unless running a Windows virtual environment (it needs the Windows OS).

Although CryptoLocker itself is readily removed, files remain encrypted in a way which researchers have considered infeasible to break. Many say that the ransom should not be paid, but do not offer any way to recover files; others say that paying the ransom is the only way to recover files that had not been backed up.

What is Mailprotector doing?

Mailprotector blocks all .exe files by default but previously did not block embedded .exe's in zip files.  As a preventative measure, we are now also extracting and blocking embedded .exe files and any encrypted zip file.  You will now see email containing these two characteristics in your Virus quarantine.  Domain > Settings > Quarantine.  You can also control the release permissions from this page, whether limited to managers or allowed at the user level.

If blocking based on the above criteria raises false positive concerns for your organization, we suggest you enable Virus Notifications to the end user and or the admin/manager for that account

We are continuing to monitor all new campaigns.  There is no anti-virus available that can detect and block new variations in real time. We, like all other AV vendors, are monitoring around the clock for any new variation and adjusting immediately to all new threats.  We are catching all known variations of this email but there is no guarantee that we have seen the last threat.  In addition, blocking embedded .exe files and encrypted zip files will add another layer of preventive security. 

What can I do?

At the Enterprise or Domain level - Mailprotector, Mail Server, or Local Computer

  • Local AV or other security software that prevents access to executable and other potentially dangerous programs on the clients computer.
  • Update Java, Flash, and OS patches.
  • Disable Java plugins for web browsers.

 

End User Best Practice - Simple (but frequently ignored) safe computing practices to consider when opening emails and file attachments, in general:

  • Always check who the email sender is. If the email is supposedly coming from a bank, verify with your bank if the received message is legitimate. If from a personal contact, confirm if they sent the message. Do not rely solely on trust by virtue of relationship, as your friend or family member may be a victim of spammers as well.
  • Double-check the content of the message. There are obvious factual errors or discrepancies that you can spot: a claim from a bank or a friend that they have received something from you? Try to go to your recently sent items to double-check their claim. Such spammed messages can also use other social engineering lures to persuade users to open the message.
  • Refrain from clicking links in email. In general, clicking on links in email should be avoided. It is safer to visit any site mentioned in email directly. If you have to click on a link in email, make sure your browser uses web reputation to check the link.  
  • Always ensure your software is up-to-date. Currently there are no known CryptoLocker that exploits vulnerabilities to spread, but it can’t be ruled out in the future. Regularly updating installed software provides another layer of security against many attacks, however.
  • Backup important dataUnfortunately, there is no known tool to decrypt the files encrypted by CryptoLocker. One good safe computing practice is to ensure you have accurate back-ups of your files. The 3-2-1 principle should be in play: three copies, two different media, one separate location. Windows has a feature called Volume Shadow Copy that allows you to restore files to their previous state, and is enabled by default. 
Have more questions? Submit a request

Comments