Encrypting the CryptoLocker

by Pierluigi Stella, Network Box USA, Inc.

There’s been a lot of talk about the CryptoLocker lately, as though it’s something new or unique.  Sorry to disappoint everybody but there are about 500,000 different variants of Ransomeware out there, all active and well; and all need to be covered.  So please, shake off your fear of this particular one, and start worrying about all of them and their individual variants.

It would appear, however, that this last strain is particularly nasty, so although panic is never justified, caution is in order.  What should you do?  The usual and the obvious, if I may say.

Start by making sure you’ve the usual layered protection, that all your AVs are up to date.  They may not be the best tools, but if they’re not up to date, you’re obviously more exposed.  This goes for your gateway protection, your servers and your end points.  And when I say end points, I mean ALL of them – workstations, laptops, smart phones, tablets, anything and everything which can connect to your network.

Backup, as often as you can, as much as you can.  The best defense against something like CL, if it does strike, is to restore from the very last backup and ignore the issue.  True, you’ll lose those last few hours of work but it’s a lot better than being held at ransom by a crook or losing all your data.

Therefore, backup (frequently), and test your recovery procedures.  It’s incredible how many times people backup everything then forget to ever test how they’ll recover from a disaster using that backup.  Now would be a good time to run that recovery test, if you can.

And yes, this will reveal that you backed up all the data but forgot to backup an OS image, so you can’t easily recreate a lost computer, for example.  Or who knows what else it will bring up; in any case, it’s irrefutably worth your time to try at least once, if you haven’t yet done so.

These Trojans change every day.  Neither space nor time constrains permit me to go into details here but some spread through servers and if they do reach that, you’re in serious trouble.  One thing is to lose a workstation, another is to lose your companies database.  Do whatever you can to segregate those servers; limit user access, segregate user ids and ensure you have good access management.  It’s true that Microsoft’s user set up can be bypassed and the Trojan may spread anyway; but it’s even more certain that if you don’t properly segregate, the simplest Trojan will spread as well, and that’s not a good thing!

In all this, don’t forget your vendors. The last thing you need is to be doing business with vendors who don’t take security as seriously as you do.  And yes, it does happen – vendors get infected, they connect to your network (direct access via private lines for core vendors, VPN for others; some may send you a CD or a Flash drive; you name it), and before you know it, their infection becomes your nightmare.  Though you can’t be 100% certain about them and you don’t get to create their security rules, at the very least, in your vendor due diligence, try if you can to go beyond asking for that SSAE16 Type II (which really tells you nothing).  Demand that they show you how they protect their network, how they protect their own assets, and what guarantees you that their set up will limit, if not hinder, the spreading of an issue from their network to yours.  It’s an issue not be underestimated.

Finally, this Trojan seems to spread predominantly via ZIP files.  Train your people about this.  If the zip isn’t coming from someone they know, DO NOT CLICK.  If it’s coming from someone they know but they didn’t expect it or didn’t have a good reason to receive it, DO NOT CLICK.  Investigate first.  A few seconds of “thinking” can spare you days of pain.

And by the way, as it goes for the vendors, it also goes for all those who usually send you emails, even (maybe more so) family and friends.

Who can guarantee you that their computer hasn’t been compromised already?  Just because they’ve been sending you emails for years, doesn’t necessarily mean you can trust their emails.  Do not click; and do not click online either on websites you’re not 100% certain about.  Now, more than ever, is it important to teach your users to pay attention to what they’re clicking on.

I know some of this stuff will seem obvious but then again, in a moment of panic, the obvious can sometimes elude the best of us.  And panic appears to be the word of choice when it comes to Cryptolocker.  As a member of Infragard, I can tell you that even the FBI has been sending us material about this Trojan!

All things said and done, essentially, I’m trying to invite all of you to stay calm, continue doing what you’ve already been doing for a long time, and do not lose momentum.  It’s just another Trojan after all (and what’s that compared with the 500 thousand or more new ones we see every day?)

Pierluigi Stella

Pierluigi Stella

With a sterling track record of successfully accomplished projects, an extensive technical know-how, and nine years as head of both the technical as well as customer service divisions of Network ... Web: www.networkboxusa.com Details

Featured