In Recent days cyberattack and cybercriminals have evolved themselves so as types of attacks. Now days it’s no more about conventional signature based malware/attack. Evolution is the key for survival because antivirus research, analysis, countermeasures, and public awareness attackers also need to find new way of getting into victim’s system and that’s how they came across a new type of extortion: CryptoLocker.
This threat is pervasive and preys on a victim's biggest fear: losing their valuable data. In September 2013 the CryptoLocker threat began to be seen the wild. Unlike previous Ransomware that locked operating systems and left data files alone and usually recoverable, CryptoLocker makes extortion of victims more effective because there is no way to retrieve locked files without the attacker's private key.
How it comes to user’s machine: comes in the door through social engineering. Usually the virus payload hides in an attachment to a phishing message, one purporting to be from a business copier like Xerox that is delivering a PDF of a scanned image, from a major delivery service like UPS or FedEx offering tracking information or from a bank letter confirming a wire or money transfer.
Once infected, a user has four options:
- Pay the ransom
- Restore from backup
- Lose the files
- Brute force the key
To brute force the key would require factoring 617-digit numbers, which would take about 6.4 quadrillion years on a standard desktop computer. In order to handle Crypto locker malware from coming into our environment we should be taking following mentioned action :
- First and foremost, make backups. This remarkable habit is a lifesaver regardless of the ransomware variant you may be confronted with.
- Make sure that antivirus software should have the DAT Related to the Trojan Crypto locker in case of Symantec it used to come as threat name: Trojan.Ransomcrypt. F & Trojan.Gpcoder.H for which we already have DAT Deployed in our environment.
- At perimeter level you should have email filter in place which has the signatures for defensive mechanism with Crypto locker and it stops most of the phishing and spam email which is the actual source of infection in most cases.
- Refrain from opening suspicious email attachments even if they are received from people you know. Steer clear of shady web pages.
- Block EXE file attachments in Office 365 as per below process
- Don’t assign local admin privilege to users until it requires for some critical purpose which will stop any executable running on end user’s machine.
- Create a Group Policy for Software Restrictions that disallows %LocalAppData%\*.exe with a description like “Block executables from AppData”.
- Disabling hidden file extensions in Windows will also help recognize this type of attack.
- Create for our outbound and inbound internet access through proxy which is stopping most of the websites which is malicious in nature
Last but not the least prevention is better that cure and in order to do so employee education is the most important things to fight against any kind of new evolving attacks like CryptoLocker/locky or Ransomware. Employees should be trained Regarding Social engineering attacks and prevention
Authored by Vivek Kumar
TCS Enterprise Security and Risk Management