A Deep Dive into CryptoLocker Ransomware Malware and How to Protect Yourself
Ransomware attacks are real and dangerous.
The CryptoLocker ransomware attack remains, alongside Petya and WannaCry, one of the most prolific large-scale attacks in malware history, designed specifically for Windows operating systems.
Cybersecurity specialists say the first CryptoLocker attack took place on September 5, 2013, yet the ransomware crippled about 500,000 Microsoft Windows computers at a rampant infection rate until it was contained in May 2014 following Operation Tovar.
But where do ransomware attacks originate and how do they work?
How Ransomware Usually Operates
Ransomware infections usually start with drive-by downloading or phishing campaigns: a suspicious email from an unknown source that manipulates the user through social engineering techniques to click on a link or download an infected attachment.
In recent years, hackers have developed sophisticated scams with copycat emails and templates, making it often hard even for the most tech-savvy to detect a phishing attempt.
All it takes is for an individual to click on the link in the body of the email or download the attachment.”
Upon infection, the malicious software encrypts all data and rapidly spreads in the entire infrastructure. Immediately an alert will appear on the screen informing the victim that the system is encrypted, and a bitcoin ransom must be paid to retrieve a decryption key.
While many companies naively expect immediate payment will regain them access to files, hackers are unlikely to release encryption keys and the data is lost.
Liquid Web’s blog is full of useful tips on how to secure your infrastructure. Subscribe now to get the latest right into your inbox.
In some cases, a signature-based detection security software with malicious behavior monitoring could detect and remove the ransomware, but the data is lost regardless. If ransomware hits, data backups are critical for all businesses, because most likely the data will never be retrieved and it will be impossible to restore the system without formatting it.
How Does CryptoLocker Work?
CryptoLocker is a highly sophisticated malware strain but it can’t self-replicate, so hackers distributed the malware through a Trojan that replicated through infected email attachments and through the Gameover Zeus, (a peer-to-peer botnet built on ZeusTrojan). Gameover Zeus banking malware was allegedly responsible for over one million computer infections, according to FBI investigations.
The emails appeared to be sent by a legitimate, reputable company and the attachments were ZIP files disguised as PDFs.
Companies could be anything, such as online retailers, social media platforms, financial institutions, or shipping companies that allegedly sent an invoice, order tracking, or confirmation email. In some cases, CryptoLocker also was delivered through compromised plug-ins downloaded from suspicious websites.
Once the payload was activated, CryptoLocker encrypted absolutely all hard drive data, including any information on devices connected to the infected machine, such as USB sticks, cloud-synced folders such as DropBox, and even company servers.”
The malicious software tried to communicate with command and control servers, took over the user profile (documents and settings folder) and scanned the system for files such as spreadsheets, documents and AutoCAD design files stored on local and mounted network drives.
Then it encrypted them with RSA public key cryptography, also known as asymmetric encryption. Public key cryptography is complex because it involves key pairs. It encrypts the files with the public key, and then creates a private key that decrypts them. Nobody but the hackers can access the decryption key.
As it happens with any ransomware infection, after the system was encrypted, CryptoLocker victims were given between 72 and 100 hours to send a pre-paid cash voucher (MoneyPak) worth $400 or €400, or its equivalent in bitcoin.
Ransomware is an incredibly profitable business. Industry sources claim CryptoLocker put some $30 million in the author’s pocket, in just 100 days in the wild.
What You Can Do To Reduce Ransomware Infection Risks
The problem with CryptoLocker is that it was too sophisticated to have a backdoor, so it’s best to be cautious now that CryptoLocker-derived variants are out there.
Security researchers absolutely do not recommend giving in to this kind of extortion, as there may be other strategies to regain system access without paying ransom.
Here are some tips on how to reduce infection risks:
- Did you receive an email from an unknown or unsolicited source?
If you have no idea what the email is about or who the sender is, don’t click on the links in the body and don’t download any attachments. Recent ransomware campaigns against enterprises have been targeting departments such as HR, accounting and logistics.
- Train staff members and customers about online security risks and how to detect a phishing attempt.
- CryptoLocker ransomware also spread through a botnet, not just a Trojan hidden in an email. In this case, there is not much you can do because it means you already have other malware in the system which only made it easier to get a double dose of malicious software.
- The CryptoLocker ransomware attack reinforces the importance of data backups.
Keep regular and updated backups of important data and store it in multiple sources, including offline, to recover the information and restore the system if your network is infected with ransomware.
- Restrict employee access to critical files and systems to reduce malware exposure in case of infection.
- Run regular software and firmware updates, as well as security patches of known vulnerable browser plugins such as Adobe Flash and Java, to reduce network vulnerabilities that could expose the network to malware infections.
- If you do see a message on your computer screen that you have fallen victim to ransomware, it’s important to remain calm and investigate the type of ransomware you’ve been exposed to.
In some cases, it might just be scareware or a screen locker, so you can still access your files.
If you care not able to access your files, you were probably hit by file-encrypting ransomware which cannot be ignored or removed by closing the message. To get rid of encrypting ransomware, try disconnecting the infected device from the internet to prevent the ransomware from spreading, and use a robust security solution to clean up your device and remove it.
You can also reinstall your operating system. No matter which method is chosen, it is important to know that removing the ransomware means losing the files that were encrypted.
Big industry names have released decryptors that can be found on their websites, and you can always check if a decryptor is available, provided you know the type of ransomware you are dealing with.
- Install an updated security solution to protect your infrastructure. Companies can choose server protection packages that include routine scans for susceptible points, hardened server configurations, antivirus, and malware cleanup and remediation.
Stay Secure With Liquid Web
Prepare for the worst with security solutions from Liquid Web, including storage and backup services, security and data protection, and more.
For October Cybersecurity Awareness month, we prepared some video tips you can share with your team.
Nick is the Senior Director of Security & Compliance at Liquid Web. He has over 20 years of experience in Technology and brings a wealth of knowledge and a strong understanding of data security to help safeguard our customers' environments.
Keep up to date with the latest Hosting news.