Whitepaper

CryptoLocker Ransomware:
Mitigating Risk with Prevention & Beyond!

2014 NovaStor. All Rights Reserved.

www.novabackup.com

Contents
Introduction ................................................................................................................................................................................................... 2
What is CryptoLocker? ............................................................................................................................................................................. 2
What is CryptoWall? .................................................................................................................................................................................. 2
How does it work? ...................................................................................................................................................................................... 3
What can you do to prevent an attack? ......................................................................................................................................... 3
What if it is already too late? ................................................................................................................................................................ 5
How to protect yourself!......................................................................................................................................................................... 6
Any Questions left? .................................................................................................................................................................................... 7
Sources ............................................................................................................................................................................................................. 8
Contact Us....................................................................................................................................................................................................... 9
About NovaStor ........................................................................................................................................................................................... 9
Notice ..............................................................................................................................................................................................................10
Copyright .......................................................................................................................................................................................................10

2014 NovaStor. All Rights Reserved.

www.novabackup.com

Introduction
Nowadays CryptoLocker and the next generation CryptoWall are considered cursed words like
Voldemort, Bloody Mary, or Beetlejuice. Just dont say them out loud and definitely not three times in
a row! With new versions coming out faster than you can say the name, it is more important than ever
to be very careful with this type of malware. NovaStors whitepaper about CryptoLocker (and every
subtype) explains how to protect yourself against a malware attack and what to do in case all
prevention was useless.

What is CryptoLocker?
Introduced in 2013, CryptoLocker is a ransomware that encrypts certain file types on Windows
operating systems including Windows XP, Vista, 7, and 8. The first versions changed only a few file
types, but nowadays even backup images are not safe anymore. Infiltrated through a harmless looking
email, the newest versions even hide themselves in iframe code or Flash applications on websites.
Once infected, CryptoLocker immediately starts to encrypt all your files and demands a fine in order
to decrypt them. What makes it so dangerous is the fact that it doesnt stop within the limits of a hard
drive, but reaches out to every niche on the local network. The attack lasts anywhere from a few
seconds to a few minutes, but the results are catastrophic. Every mapped network or USB drive, every
workstation, laptop, and server in the network is encrypted using a public key, but needs a private key
in order to be accessed again. That private key is located on the criminals servers and will be provided
only if you pay the fee.

What is CryptoWall?
The latest strain of file-encrypting ransomware called CryptoWall
(and a variant called CryptoDefense) picked up where
CyptoLocker left off. On the heels of the botnet takedown, which
stopped the spread of CryptoLocker (after infecting over 250,000
computers), the Center of Internet Security (CIS) has reported an
increase of new CryptoWall malware infections, which are also
targeted at systems with Windows operating systems. Much like

2014 NovaStor. All Rights Reserved.

The Crypto Virus Strikes

Again with a New Strain
Called CryptoWall.
Read post

www.novabackup.com

its predecessor, this malware takes over your system restricting access to your files and folders until
you pay a ransom.

How does it work?

Sent through an important looking email, the malware hides in attachments from e.g. USPS, ADP
payroll, or with subjects like Important Notice, Scanned Image, payment advice, or similar. If the
attached file is downloaded, it seems to be a regular .pdf document. But clicking on it activates a hidden
.exe file and these Crypto viruses start running in the background accessing the registry.
With every file encrypted it leaves the public key of a 2048-bit RSA key pair in the files folder. The
private key is located on a control server, operated by the criminals. The Trojan itself now encrypts all
files across the local hard drive and every accessible mapped network drive. As soon as it has
successfully encrypted all documents, a pop up window shows up, forcing you to pay a certain amount
through e.g. Bitcoins in order to receive the second, private key.
To make it even more interesting, the CryptoLocker and the more recent CryptoWall give you just hours
in which you can request the named key. If you decide to ignore it and the time runs out, the second
key will be deleted and all of your data will remain encrypted for good. A 2048-bit RSA encryption
would take several thousand years to successfully dissolve the key pair, so that is most likely not an
option.
Besides encrypting everything, these Crypto viruses also delete the Volume Shadow Copies when
launching an .exe file. This way you are not able to restore the latest version of your files in case you
had Windows System Restore enabled.

What can you do to prevent an attack?

There are several options to prevent your system from being attacked. We understand that not all
options are feasible for your environment, but the more ideas you get, the more likely youll find one
that is implementable.
(1)

Educate Users Continually. It is very important that everybody in your company knows
about the potential risks as they arise. Regular reminders, short presentations, or even

2014 NovaStor. All Rights Reserved.

www.novabackup.com

handouts that explain the ways CryptoLocker

(and variants like CryptoWall) show up and what
Virus Alert: Beware of CTB-Locker
type of emails should be avoided. This can help
Disguised as Windows 10 Upgrade.
build awareness and potentially prevent it from
Read post
happening. Also encourage them to talk with the
System Administrator before installing any kind
of software. The latest threat is a CryptoLocker
variant, called CTB-Locker, which is disguised as a Windows 10 upgrade installer.
(2)

Restrict Access Controls and User Privileges. Reduce the user rights on public network
drives to read only, if possible. To avoid discussion with colleagues about how trustworthy
you think they are, it is better to restrict their rights in the first place and increase the level
later on, if needed.

(3)

Stop AutoPlay. Disable AutoPlay to stop .exe files from starting automatically on every server
and workstation, laptop, or other Windows machine in your network.

(4)

Keep Anti-Virus and Anti-Malware up to Date. Not all Anti-Virus and Anti-Malware solutions
detect the latest Crypto virus. Make sure your company is using one that is able to detect the
current versions and has a proven success record of implementing updates fairly quickly.

(5)

Review and Institute Prevention Policies. Deploying a software restriction policy can
prevent Crypto viruses from ever running. The challenge with deploying a black list is that you
have to constantly update your list. CryptoLocker started with using %AppData%\*.exe and
%AppData%\*\*.exe only, but is now leveraging several other file paths to infiltrate the
system. A whitelist instead blocks everything that is not used from your colleagues on a
regular basis.

(6)

Stop Spam. Spam Filter and Email Protection are able to catch suspicious looking emails, but
never rely on them too much. There are always new ways these Crypto viruses can gain access
to your system.

(7)

Show Hidden Extensions. On the endpoints you could also change the settings to show all
hidden extensions. This way everybody can see the .exe extension from the Trojan
immediately and be perhaps more aware of something being wrong with the imposter pdf
or zip file.

2014 NovaStor. All Rights Reserved.

www.novabackup.com

(8)

Use a Firewall. In order to start the encryption process, these Crypto viruses have to call
home and request the public key. If it gets blocked from e.g. the Firewall, it cant encrypt
anything. Unfortunately the traffic generated goes through the http protocol, so it is not blockable in general. But there are good firewalls and outbound IPS options that can actually catch
and block the specific communication, because Crypto viruses are very noisy.

(9)

Always Install Latest Patches. Keeping your software up-to-date is critical. This helps to
protect yourself from potential vulnerabilities. You may want to consider creating a system to
automatically deploy patches as they become available. Since it is a known fact that RIG
exploit kits are targeting unpatched versions of Flash, Java and Silverlight multimedia, by allmeans, keep these patches up to date. If you are using an operating system that is no longer
supported (e.g. Windows XP, Windows Server 2003) you are leaving yourself vulnerable as
patches are no longer offered for these operating systems. If this is the case, you may want
to consider upgrading.

(10) Update Security Software. Keep all security software up to date at all times.
A guide on SpiceWorks explains how to setup an early-warning system to notify you as soon as
CryptoLocker installs one of his popular files. The CryptoLocker Canary from JustinCredible on
SpiceWorks lists the steps needed to implement it. Note: this doesnt prevent an attack, but helps
identifying it and being able to react hopefully quick enough.

What if it is already too late?

Besides restricting access to network drives, having an anti-virus solution running, and building an
awareness, the most important option is to have a good 3-2-1 backup and restore process in place.
That has nothing to do with preventing an attack, but with being prepared in case the malware has
access to your system. Having an extra copy of your data outside of your local network is the most
important step. It doesnt matter, if you have a tape in a safe, a replicated NAS (not connected via VPN),
or a backup in the cloud. You just need to have a regular update from your full backup stored
somewhere else.

2014 NovaStor. All Rights Reserved.

www.novabackup.com

In a worst case scenario, you have to act quickly and isolate all of the affected workstation, laptops,
and/ or servers from your network. Ripping cables out of their anchorage and disconnecting the
computer from Wi-Fi should be the first step. Scanning the rest of the system to be sure it hasnt spread
is as important.
Now you have two options to decrypt your files again. Deleting all affected machines and restoring the
data from your last backup, or paying the ransom. To be very clear, we dont want to encourage you
to pay anything. Even though several victims reported that their data was fine a few hours after
submitting the payment, there could always be something that prevents the decryption from
executing. At the end the developers and users of the Trojan are criminals and we dont recommend
supporting cyber criminals in any way!
If you have a backup in place, completely delete everything from the infected hard drive and restore
the system and the data. Check your system with a virus scanner before you include it into your
network again.

How to protect yourself!

Setting up a proper backup plan is extremely important. The ideal situation is to be proactive here.
Plan ahead and keep regular backups of your data. This is the only way to get your data back without
supporting criminals in any way!
NovaBACKUP allows you to set up regularly
scheduled backups, disaster recovery image
backups and ensures a stable and fast restore in a
worst case scenario. But besides being a data
protection solution, NovaBACKUP comes with a
few more advantages to protect your data against
CryptoLocker and other Crypto variants.

Complete Data Protection

Request a free trial of NovaBACKUP

(1) NovaBACKUP allows you to backup to tape or Amazon AWS services in order to move your data
outside your local network. In addition you could also implement replication storages, RDX
drives, or anything else you can think of to get a copy of the business critical data offsite.

2014 NovaStor. All Rights Reserved.

www.novabackup.com

(2) Setting up a backup and a copy job is very intuitive. As is aligning the jobs to your retention
policies. If you follow the Grandfather-Father-Son scheme, or others that you prefer, you will
have several levels of backup data that you can restore from.
(3) Easy to setup retention policies let you restore data from every older version that is not
infected. Depending on the interval of your incremental or differential backup you could even
restore the data from just one hour ago.

Any Questions left?

If you want to learn more about how NovaBACKUP is able to protect your data from Crypto viruses, or
like to test the data protection solution in your environment, feel free to contact our NovaBACKUP
team directly at:
Tel.:
Email:

+1 (805) 435-0061
M-F 9AM-5PM PDT
onlinesales@novastor.com

2014 NovaStor. All Rights Reserved.

www.novabackup.com

Sources
(1)
(2)
(3)
(4)
(5)

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
https://www.reddit.com/r/sysadmin/comments/21kzyn/cryptolocker_and_network_drives/
https://www.reddit.com/r/sysadmin/comments/3bgogl/cryptolocker_that_doesnt_encrypt_files/
https://www.youtube.com/watch?v=Gz2kmmsMpMI
http://community.spiceworks.com/how_to/57422-deploying-a-whitelist-software-restriction-policy-toprevent-cryptolocker-and-more
(6)
https://community.spiceworks.com/how_to/100368-cryptolocker-canary-detect-it-early
(7)
http://www.pandasecurity.com/mediacenter/malware/cryptolocker/
(8)
http://arstechnica.com/security/2015/03/cryptolocker-look-alike-searches-for-and-encrypts-pc-gamefiles/
(9)
https://www.symantec.com/security_response/writeup.jsp?docid=2014-050702-0428-99&tabid=2
(10) https://blogs.sophos.com/2015/03/03/anatomy-of-a-ransomware-attack-cryptolocker-cryptowall-andhow-to-stay-safe-infographic/

2014 NovaStor. All Rights Reserved.

www.novabackup.com

Contact Us
NovaStor Software AG
Poststr. 18
CH-6301 Zug, Switzerland
Tel +41 (41) 712 31 55
Fax +41 (41) 712 21 56
NovaStor Corporation
29209 Canwood St.
Agoura Hills, CA 91301 USA
Tel +1 (805) 579 6700
Fax +1 (805) 579 6710
NovaStor GmbH
Neumann-Reichardt-Str. 27-33
D-22041 Hamburg, Germany
Tel +49 (40) 638 09 0
Fax +49 (40) 638 09 29

About NovaStor
NovaStor is Backup for the Rest of Us - providing powerful, affordable, all-inclusive licensing that supports
Physical, Virtual and Cloud environments. NovaStor provides data integrity solutions for both Small and Medium
Business (SMB) as well as Enterprise markets that support best practices and protect data residing on Both Sides
of the Cloud - Local, Remote offices and Data Centers are all capable of being managed from a Centralized
Management Console. NovaStors #1 rated SMB solution NovaBACKUP is for businesses that understand they
require critical data protection for their servers, VMware, Hyper-V or NAS environments but may be unsure of
exactly what is required, or lack the resources to research and implement such a solution. NovaStor Setup
Assistance is an industry first where NovaStor provides backup experts to take on this complexity for the
customer and recommend, install and support the solution that best suits their environment all for no
additional charge. NovaStors Enterprise solution NovaStor DataCenter brings F500 references, scalability,
reliability and speed to the mid-market at an extremely disruptive price point. A single product manages both
physical and virtual servers helping organizations meet RPOs and RTOs, save time, eliminate risk and
dramatically reduce capital and operational costs. NovaStor is management-owned and has been profitable from
the beginning. NovaStor currently has over 5,000 partners and hundreds of thousands of distributed products

2014 NovaStor. All Rights Reserved.

www.novabackup.com

worldwide. NovaStors global headquarter is located in Zug, Switzerland, has offices in Germany (Hamburg) and
the USA (Agoura Hills), and is represented in numerous other countries through partnerships.

Notice
Information in this document is subject to change without notice. NovaStor makes no representations or
warranties with respect to the contents of this document and specifically disclaims any implied warranties of
merchantability or fitness for any particular purpose. Further, NovaStor reserves the right to revise this
publication and to make changes without obligation to notify any person or organization of such revisions or
changes. NovaStor is not responsible for any linked content.

Copyright
Under copyright laws, the contents of this document may not be copied, photocopied, reproduced, translated
or reduced to any electronic medium or machine-readable form, in whole or in part, without prior written
consent of NovaStor.
Trademarks NovaBACKUP is a registered trademark of NovaStor. Windows is a registered trademark of
Microsoft Corporation.

2014 NovaStor. All Rights Reserved.

www.novabackup.com