8 Ways To Protect Your Data From CryptoLocker and PowerLocker
Last year CryptoLocker created havoc compromising computers around the world. By holding user data ransom, hackers were able to earn hundreds of thousands of dollars from users who paid ransom fees to recover their data. It was even reported a Massachusetts’ Police Department paid the ransom to decrypt important files encrypted by CryptoLocker.
A number of our clients have asked us about the latest pieces of ransomware, including a rumoured new variant called PowerLocker or PrisonLocker. This article tells you a bit about Cryoptolocker and PowerLocker, and gives you some guidance on how to defend against them.
What Is CryptoLocker?
Whilst ransomware is not new, the recent CryptoLocker was one of the more well implemented variants. The cryptography used by CryptoLocker is strong and has been programmed well. Once the files on your hard disk have been encrypted, there is no way to get them back without obtaining the private key, and at present the only way to obtain the key is to pay the ransom. The designers of CryptoLocker realised that people would not pay the ransom if the file recovery mechanism was unreliable, so they made sure that the recovery mechanism was also well written and reliable.
What Is PowerLocker?
According to Kaspersky (one of Tesserent’s global partners), a new extortionist blocker program, under the name PrisonLocker (now PowerLocker), was reported late in 2013. Whilst still under development, PowerLocker takes the concept of CryptoLocker a step further by creating a Cryptolocker “franchise” , with the creator claiming he will sell the software to would-be hackers for roughly $100 per license, which can be paid using the Bitcoin crypto-currency.
What Does CryptoLocker do?
The initial infection usually comes via an email trojan, although once inside a company network the malware can also spread via the network. The email contains an executable program, sometimes in a ZIP file, disguised as a PDF (often spoofed to look like a courier notification). If executed, the trojan connects to an outside server and downloads the CryptoLocker ransomware. CryptoLocker will then encrypt all documents on your hard disk, any external disks and any mapped networks shares. That is, it will search all volumes with a drive letter. Current versions of CryptoLocker will not search UNC network shares (shares with no drive letter, such as \\host\\some\pathname).
The cryptographic key pair is generated off-site and the public key is provided to the ransomware in order to encrypt all of your documents. Note that the private key does not leave the off-site server, thereby making it impossible to obtain it on the infected PC, either before, during or after the encryption takes place.
Note that CryptoLocker is smart enough to destroy System Restore snapshots, so you cannot rely on a Windows System Restore to recover from an infection.
8 Ways To Protect Your Data From CryptoLocker and PowerLocker
1. Backup, backup, backup!
This is the only guaranteed way to protect yourself against ransomware. Remember that CryptoLocker will search for documents on any attached drives, so simply backing up to an external hard drive and then keeping it connected will result in the backed up files being encrypted as well. Cloud based backup systems are fine, provided they do not use a network share to transfer files.
2. Gateway Anti-Malware Filtering
Tesserent’s Managed Firewall gateway device will (as should any good Next Generation Firewall) filter out all currently-known variants of CryptoLocker. Additionally, it has blocking heuristics to detect attached executables (even if they are masquerading as PDF documents).
3. Desktop Anti-Malware Filtering
Despite the protection afforded by the Tesserent gateway, desktop protection is still essential because an infection can reach a PC via other means (such as network shares, USB sticks, laptops taken out of the office environment, and so on). Tesserent has long recommended the use of good quality anti-malware on endpoint computers and this recommendation is probably more important now that it has ever been.
4. User Education
By now your users should know to not click on links in unsolicited email, or run anything without knowing exactly what it is and what it does. But of course it doesn’t hurt to reinforce this.
5. Separate Sys Admin Accounts
System Administrators within your organisation should not give their normal user accounts extended privileges. Instead they should use a separate Administrator account whenever they need to perform tasks requiring administrator privilege. This means that if CryptoLocker (or any other malware) does manage to get in via the normal user email account, its reach is likely to be limited.
6. Execution Restrictions
If it is possible to limit the areas in which executables are allowed to be run (such as via Group Policy), this will limit the damage caused by malware that attempts to run outside of the strictly controlled areas of the file system. Finally, a couple of third party applications that you might find useful. Note that the two applications listed below should not be considered an exhaustive list, nor should this be construed as a product endorsement. You should examine the offering these companies provide and decide for yourself if you think the products will provide value to your organisation.
Running your email client inside a sandbox can allow you to recover gracefully from a CryptoLocker infection should you be unfortunate enough to fall victim to it.
8. Crypto Prevent
Crypto Prevent is a small utility that implants Group Policy objects to impose execution restrictions for certain executables and locations. It helps protect against many different styles of malware, CryptoLocker is one of them.
The threat from new malware, be it Cryptolocker, Powerlocker, or other new malware, continues to rise. Tesserent’s OEM partnerships with a variety of global security partners ensure early access to malware prevention at your network gateway but vigilance and good practices are still required.
If you have any further questions regarding CryptoLocker or PowerLocker, please contact us and we will be happy to assist.