CryptoLocker: What is it and why should you care?
Updated: Jun 25, 2020
It is no secret that ransomware can be extremely vicious and destructive, but it is also not a new concept. Though the implementation and use of ransomware has come and gone in many forms, and many anti-ransomware apps have been developed, new malware is constantly emerging. One of the most infamous examples of ransomware software is that of CryptoLocker, and it can be extremely damaging to data-driven organisations.
Malware such as CryptoLocker can enter any protected network through several formats, including emails, file-sharing sites, and downloads. Many new variants have successfully been able to circumvent anti-virus and firewall technologies, and it should not come as a surprise that they will continue to emerge and avoid further security measures without detection. Before focusing on how you can protect your business from such malware, it is important to understand what CryptoLocker does and how you can detect it early on before any true damage is done.
So, what does it actually do?
There are many strands of CryptoLocker and similar ransomware that have been created since the original ‘CryptoLocker’ was taken down in mid-2014, but the goal is still much the same in whatever form it takes.
On execution, CryptoLocker begins to scan any network drives that the host is connected to, then renames and encrypts the folders that have permission to modify, based on the credentials of the who executes the code.
Without the geek-speak, CryptoLocker once executed installs itself on the computer, scans your computer for any drive, device, or network that a user has admin rights to, and locks the data.
For example, once in the computer, the attacker can create an admin account on the PC given enough time without detection, and therefore by rights, can access all admin data stored on the PC and make it inaccessible and can expose crucial private information.
There can be many variants of this ransomware, one of these being ‘CTB-Locker’ which installs a single file in the directory where it first begins to encrypt files.
Luckily, the encryption process can take hours and therefore provides a window of opportunity to prevent any real damage from being done and can be disrupted with early enough intervention.
However, the first step of prevention is detection.
If file access activity is being monitored on the affected file servers, these behaviors create a lot of open, modify, and create events very quickly, and are pretty easy to spot with enough automation. For example, if a user account modifies 100 files within a minute, it is safe to say that something automated is going on. Configure your monitoring solution to trigger an alarm when these behaviours are taking place.
If you do not have an automated activity monitoring programme in place, however, you may be forced to enable native auditing. Native auditing unfortunately taxes monitored systems and the output is difficult to decipher. If you are unsure how to do this, speak to one of our IT wizards to help you avoid any risks of falling victim to ransomware and set up a file-sharing ‘honeypot’.
The ‘honeypot’ is an accessible file share that contains files that local normal or valuable, but in reality, they are fake. As there are no legitimate user activities associated with a honeypot file share, any activity should be treated as suspicious.
CryptoLocker can also only encrypt the files and folders to which its user account has access to. If you are administering a network, you can minimise risk by only allowing other users to only access folders, files, and drives they are likely to need.
Other preventative techniques that can be used are simply exercising good IT habits.
Back-up your business data and do so regularly. ACS offers a range of cloud-based solutions that can store crucial business data in several different sites, automatically update all software, user files, and any other IT-related on a regular basis.
This is the single most effective way you can recover your files should you fall victim to ransomware attacks. If using an external drive, disconnect it after backing up locally stored folders and files. Putting both measures in place is an effective and efficient way to avoid downtime or critical data loss.
Never download attachments from unknown senders or click unknown links. This is the most common way attackers get access to crucial personal data whether for your business or otherwise. This is how the original CryptoLocker made its way onto users’ computers and is still a very common practice used today.
Always update your software. Install updates and patches as soon as they are released. Programmes such as windows defender has become well versed in preventative techniques to stop potential malware from getting into your devices in the first place, and the updates and patches are crucial to carrying this.
Use security software. Strong cybersecurity software can take a lot of the hard work away from preventing potentially harmful malware or programmes getting through but ensure it is from a trusted source.
Finally, use a VPN whenever accessing a public WiFi network. This not only encrypts your data from attackers but also minimises the risks of viruses and other harmful data from getting near your personal information and business servers.