Escolar Documentos
Profissional Documentos
Cultura Documentos
CryptoLocker Ransomware:
Mitigating Risk with Prevention & Beyond!
www.novabackup.com
Contents
Introduction ................................................................................................................................................................................................... 2
What is CryptoLocker? ............................................................................................................................................................................. 2
What is CryptoWall? .................................................................................................................................................................................. 2
How does it work? ...................................................................................................................................................................................... 3
What can you do to prevent an attack? ......................................................................................................................................... 3
What if it is already too late? ................................................................................................................................................................ 5
How to protect yourself!......................................................................................................................................................................... 6
Any Questions left? .................................................................................................................................................................................... 7
Sources ............................................................................................................................................................................................................. 8
Contact Us....................................................................................................................................................................................................... 9
About NovaStor ........................................................................................................................................................................................... 9
Notice ..............................................................................................................................................................................................................10
Copyright .......................................................................................................................................................................................................10
www.novabackup.com
Introduction
Nowadays CryptoLocker and the next generation CryptoWall are considered cursed words like
Voldemort, Bloody Mary, or Beetlejuice. Just dont say them out loud and definitely not three times in
a row! With new versions coming out faster than you can say the name, it is more important than ever
to be very careful with this type of malware. NovaStors whitepaper about CryptoLocker (and every
subtype) explains how to protect yourself against a malware attack and what to do in case all
prevention was useless.
What is CryptoLocker?
Introduced in 2013, CryptoLocker is a ransomware that encrypts certain file types on Windows
operating systems including Windows XP, Vista, 7, and 8. The first versions changed only a few file
types, but nowadays even backup images are not safe anymore. Infiltrated through a harmless looking
email, the newest versions even hide themselves in iframe code or Flash applications on websites.
Once infected, CryptoLocker immediately starts to encrypt all your files and demands a fine in order
to decrypt them. What makes it so dangerous is the fact that it doesnt stop within the limits of a hard
drive, but reaches out to every niche on the local network. The attack lasts anywhere from a few
seconds to a few minutes, but the results are catastrophic. Every mapped network or USB drive, every
workstation, laptop, and server in the network is encrypted using a public key, but needs a private key
in order to be accessed again. That private key is located on the criminals servers and will be provided
only if you pay the fee.
What is CryptoWall?
The latest strain of file-encrypting ransomware called CryptoWall
(and a variant called CryptoDefense) picked up where
CyptoLocker left off. On the heels of the botnet takedown, which
stopped the spread of CryptoLocker (after infecting over 250,000
computers), the Center of Internet Security (CIS) has reported an
increase of new CryptoWall malware infections, which are also
targeted at systems with Windows operating systems. Much like
www.novabackup.com
its predecessor, this malware takes over your system restricting access to your files and folders until
you pay a ransom.
Educate Users Continually. It is very important that everybody in your company knows
about the potential risks as they arise. Regular reminders, short presentations, or even
www.novabackup.com
Restrict Access Controls and User Privileges. Reduce the user rights on public network
drives to read only, if possible. To avoid discussion with colleagues about how trustworthy
you think they are, it is better to restrict their rights in the first place and increase the level
later on, if needed.
(3)
Stop AutoPlay. Disable AutoPlay to stop .exe files from starting automatically on every server
and workstation, laptop, or other Windows machine in your network.
(4)
Keep Anti-Virus and Anti-Malware up to Date. Not all Anti-Virus and Anti-Malware solutions
detect the latest Crypto virus. Make sure your company is using one that is able to detect the
current versions and has a proven success record of implementing updates fairly quickly.
(5)
Review and Institute Prevention Policies. Deploying a software restriction policy can
prevent Crypto viruses from ever running. The challenge with deploying a black list is that you
have to constantly update your list. CryptoLocker started with using %AppData%\*.exe and
%AppData%\*\*.exe only, but is now leveraging several other file paths to infiltrate the
system. A whitelist instead blocks everything that is not used from your colleagues on a
regular basis.
(6)
Stop Spam. Spam Filter and Email Protection are able to catch suspicious looking emails, but
never rely on them too much. There are always new ways these Crypto viruses can gain access
to your system.
(7)
Show Hidden Extensions. On the endpoints you could also change the settings to show all
hidden extensions. This way everybody can see the .exe extension from the Trojan
immediately and be perhaps more aware of something being wrong with the imposter pdf
or zip file.
www.novabackup.com
(8)
Use a Firewall. In order to start the encryption process, these Crypto viruses have to call
home and request the public key. If it gets blocked from e.g. the Firewall, it cant encrypt
anything. Unfortunately the traffic generated goes through the http protocol, so it is not blockable in general. But there are good firewalls and outbound IPS options that can actually catch
and block the specific communication, because Crypto viruses are very noisy.
(9)
Always Install Latest Patches. Keeping your software up-to-date is critical. This helps to
protect yourself from potential vulnerabilities. You may want to consider creating a system to
automatically deploy patches as they become available. Since it is a known fact that RIG
exploit kits are targeting unpatched versions of Flash, Java and Silverlight multimedia, by allmeans, keep these patches up to date. If you are using an operating system that is no longer
supported (e.g. Windows XP, Windows Server 2003) you are leaving yourself vulnerable as
patches are no longer offered for these operating systems. If this is the case, you may want
to consider upgrading.
(10) Update Security Software. Keep all security software up to date at all times.
A guide on SpiceWorks explains how to setup an early-warning system to notify you as soon as
CryptoLocker installs one of his popular files. The CryptoLocker Canary from JustinCredible on
SpiceWorks lists the steps needed to implement it. Note: this doesnt prevent an attack, but helps
identifying it and being able to react hopefully quick enough.
www.novabackup.com
In a worst case scenario, you have to act quickly and isolate all of the affected workstation, laptops,
and/ or servers from your network. Ripping cables out of their anchorage and disconnecting the
computer from Wi-Fi should be the first step. Scanning the rest of the system to be sure it hasnt spread
is as important.
Now you have two options to decrypt your files again. Deleting all affected machines and restoring the
data from your last backup, or paying the ransom. To be very clear, we dont want to encourage you
to pay anything. Even though several victims reported that their data was fine a few hours after
submitting the payment, there could always be something that prevents the decryption from
executing. At the end the developers and users of the Trojan are criminals and we dont recommend
supporting cyber criminals in any way!
If you have a backup in place, completely delete everything from the infected hard drive and restore
the system and the data. Check your system with a virus scanner before you include it into your
network again.
(1) NovaBACKUP allows you to backup to tape or Amazon AWS services in order to move your data
outside your local network. In addition you could also implement replication storages, RDX
drives, or anything else you can think of to get a copy of the business critical data offsite.
www.novabackup.com
(2) Setting up a backup and a copy job is very intuitive. As is aligning the jobs to your retention
policies. If you follow the Grandfather-Father-Son scheme, or others that you prefer, you will
have several levels of backup data that you can restore from.
(3) Easy to setup retention policies let you restore data from every older version that is not
infected. Depending on the interval of your incremental or differential backup you could even
restore the data from just one hour ago.
+1 (805) 435-0061
M-F 9AM-5PM PDT
onlinesales@novastor.com
www.novabackup.com
Sources
(1)
(2)
(3)
(4)
(5)
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
https://www.reddit.com/r/sysadmin/comments/21kzyn/cryptolocker_and_network_drives/
https://www.reddit.com/r/sysadmin/comments/3bgogl/cryptolocker_that_doesnt_encrypt_files/
https://www.youtube.com/watch?v=Gz2kmmsMpMI
http://community.spiceworks.com/how_to/57422-deploying-a-whitelist-software-restriction-policy-toprevent-cryptolocker-and-more
(6)
https://community.spiceworks.com/how_to/100368-cryptolocker-canary-detect-it-early
(7)
http://www.pandasecurity.com/mediacenter/malware/cryptolocker/
(8)
http://arstechnica.com/security/2015/03/cryptolocker-look-alike-searches-for-and-encrypts-pc-gamefiles/
(9)
https://www.symantec.com/security_response/writeup.jsp?docid=2014-050702-0428-99&tabid=2
(10) https://blogs.sophos.com/2015/03/03/anatomy-of-a-ransomware-attack-cryptolocker-cryptowall-andhow-to-stay-safe-infographic/
www.novabackup.com
Contact Us
NovaStor Software AG
Poststr. 18
CH-6301 Zug, Switzerland
Tel +41 (41) 712 31 55
Fax +41 (41) 712 21 56
NovaStor Corporation
29209 Canwood St.
Agoura Hills, CA 91301 USA
Tel +1 (805) 579 6700
Fax +1 (805) 579 6710
NovaStor GmbH
Neumann-Reichardt-Str. 27-33
D-22041 Hamburg, Germany
Tel +49 (40) 638 09 0
Fax +49 (40) 638 09 29
About NovaStor
NovaStor is Backup for the Rest of Us - providing powerful, affordable, all-inclusive licensing that supports
Physical, Virtual and Cloud environments. NovaStor provides data integrity solutions for both Small and Medium
Business (SMB) as well as Enterprise markets that support best practices and protect data residing on Both Sides
of the Cloud - Local, Remote offices and Data Centers are all capable of being managed from a Centralized
Management Console. NovaStors #1 rated SMB solution NovaBACKUP is for businesses that understand they
require critical data protection for their servers, VMware, Hyper-V or NAS environments but may be unsure of
exactly what is required, or lack the resources to research and implement such a solution. NovaStor Setup
Assistance is an industry first where NovaStor provides backup experts to take on this complexity for the
customer and recommend, install and support the solution that best suits their environment all for no
additional charge. NovaStors Enterprise solution NovaStor DataCenter brings F500 references, scalability,
reliability and speed to the mid-market at an extremely disruptive price point. A single product manages both
physical and virtual servers helping organizations meet RPOs and RTOs, save time, eliminate risk and
dramatically reduce capital and operational costs. NovaStor is management-owned and has been profitable from
the beginning. NovaStor currently has over 5,000 partners and hundreds of thousands of distributed products
www.novabackup.com
worldwide. NovaStors global headquarter is located in Zug, Switzerland, has offices in Germany (Hamburg) and
the USA (Agoura Hills), and is represented in numerous other countries through partnerships.
Notice
Information in this document is subject to change without notice. NovaStor makes no representations or
warranties with respect to the contents of this document and specifically disclaims any implied warranties of
merchantability or fitness for any particular purpose. Further, NovaStor reserves the right to revise this
publication and to make changes without obligation to notify any person or organization of such revisions or
changes. NovaStor is not responsible for any linked content.
Copyright
Under copyright laws, the contents of this document may not be copied, photocopied, reproduced, translated
or reduced to any electronic medium or machine-readable form, in whole or in part, without prior written
consent of NovaStor.
Trademarks NovaBACKUP is a registered trademark of NovaStor. Windows is a registered trademark of
Microsoft Corporation.
www.novabackup.com