As you may have discovered from experiencing this yourself or heard all the related news, there is severe malware roaming the internet at the moment which utilizes “Social Engineering Attack” in order to run a malicious code. The aim of this code is to encrypt all of the files and folders that the infected machine has access to and force the victim to pay money to receive the decrypt code to obtain access to the data once again.
CryptoLocker – Where it all began
CryptoLocker is a ransomware Trojan which specifically targets Microsoft Windows based Operating Systems. It has said to have created and posted to the internet on the 5th September 2013. CryptoLocker utilizes the inbuilt file encryption mechanism that comes with all versions of Windows since XP and sets all files both local and network access (via a network drive from a server) to encrypted.
CryptoLocker is referred to as a Social Engineering Attack which leverages the human component in an IT eco system. Social Engineering attacks use content which appears to be from a legitimate source to trick users into opening attachments in emails which then run malicious software, Social Engineering attacks can also be in the form of a phone call from an individual claiming to be from a legitimate organization such as Microsoft and then asking users for their bank or password information in order to leverage these details for their own gain.
CryptoLocker was the first of its kind and due to its simple process of encrypting the victim’s data is very successful in its purpose. The victim is left at the mercy of the attacker by having to pay money to receive the keys which are required to reverse the encryption. Attackers in this instance are counting on the fact that victims have poor IT policies for the control of email attachments, relaxed IT security, poor user training, poor backup strategies or none at all and a ‘it won’t happen to me’ attitude, all which result in the ability of the attacker to achieve their end and extort money from their victims.
CryptoLocker is propagated via an ambiguous email from a seemingly legitimate organization, the email will always have an attachment such as a ZIP file and within will be what appears to be a legitimate file. Upon opening this file the payload installs itself into the user profile folder, adds a key to the windows registry which causes it to run on startup and then attempts to contact the command and control servers online. Once the connection is established, the payload generates a set of keys one is called a private key and the other is called a public key.
The public key is sent back to the infected computer and then the payload begins the encryption process across both local C, D and E drives etc and then moved onto scanning mapped network drives which are usually located on the organization’s server. Each file encrypted is logged to to the registry. The payload only encrypts files with certain extensions. Once the encryption process completes the payload generates a message to the victim indicating that their files have been encrypted and that they must pay USD$400 to have them decrypted. The payment is made through an anonymous payment method or through bitcoin. The message also states that if the payment is not made within 72 hours the decryption key will be destroyed. This is why it is called ‘Ransomware’ because it is software that holds victims to ransom.
The success of CryptoLocker has caused a number of clones of the original software to be created by other malicious individuals all with the same basic overview: Encrypt a user’s files and then demand money from them to decrypt. Some variants are known as CryptoLOL and CryptoWall
According to Wikipedia, a survey completed by University of Kent claimed that 41% of users had opted to pay the ransom to have their files decrypted. Given the nature of the attack there are a few other mitigation strategies that can be followed such as:
• End User Education – Advising end users on what to look for in a phony email and if in doubt ask for help
• Have a Proper Backup – Recovering files from backups will lose a small amount of work depending on the backup run regime but this is still better than the alternative of losing everything and having to pay exorbitant ransom fees
• Server Policies – Server Group Policies can control what type of files can run out of a user profile folder to prevent the payload from running
• Antivirus / Antimalware Software – Behavioural Analytic Antivirus Software such as ‘Webroot’ to assist with identifying abnormal behaviours within the operating system
The most important mitigation strategy is user education as Social Engineering specifically targets user naivety.
This naivety is no longer a good enough excuse when the implications for a single user’s mistake can potentially destroy an entire organization’s intellectual property.
It is up to company owners, IT managers, IT Staff and IT consultants to be pushing the information on things such as CryptoLocker to end users to ensure that they are equipped with the knowledge to identify potential threats that they are being targeted for and also to seek assistance on these matters when they are unsure, the alternative can be devastating for organizations.As you have now discovered from experiencing yourself there is a severe malware roaming the internet at the moment which utilizes “Social Engineering Attack” in order to run a malicious code and then encrypt all of the files and folders that the targeted machine has access to and force the victim to have to pay money to receive the decrypt code to obtain access to the data once again.