This week we had a brush with one of the nastiest malware infections to date, CryptoLocker. There has been very little buzz in the media about it, but a fair amount of discussion in forums between people that have been subjected to its horrors.
It’s long been a common tactic for infections to hijack your data in some fashion and then prompt you to pay up to get them back. Often times, the malware could be removed and a simple program could pop the locks and you’d be back in business. This is where CryptoLocker gets scary.
After the initial infection (the attack vector is still being speculated about, but the generally accepted answer is links to compromised sites through social media, email and general web surfing), the malware starts to crawl any attached storage and run an encryption algorithm on it. This includes local hard drives, USB attached devices, network shares and there have even been reports of files on USB attached cameras being affected. When the initial encryption finishes, a pop up appears on the affected computer that states that the user can pay between $100-$300 in Bitcoin, Ukash or another anonymous online transaction service and the software will then begin the decryption process at 5GB/hour. The most unnerving part of this is that it puts a counter for 72 hours. When the counter runs out, you are unable to decrypt the files by paying them. Bam. Data lost. Now, the malware itself is easy to remove; MalwareBytes detects and can remove it, but if it is removed prematurely you get the same result as the time expiring. Lost data. What we have had to do to recover a client from this mess is restore back to a full backup from our extensive backup routines. Even still, our client has now lost 2 days of work as the encryption ran silently and the corrupted files were backed up in the subsequent jobs. Without our backups in place, the result of all this would have been dire.
I’ll spare you the long technical explanation of how the infection works (think %APPDATA% directories and open permissions) but I will strongly reinforce the importance of being very careful with where the links you click on come from.
If you see anything that looks like it starts with a legitimate link but has a different address at the end of the URL, exercise extreme caution in clicking on it. Example: http://google.fakesite.com
If you receive an email that has a link in it, put your mouse pointer over the link and look carefully at the tool-tip that pops up. Do the links match? The same goes for links on websites; mouse-over the link and look in the bottom left corner of your browser and compare the link shown there with the one you’re clicking on.
All in all, this can be prevented by being vigilant in your surfing. For corporate environments, I can’t stress enough how important backups and a solid disaster recovery plan are to your business continuity. There will be a cost associated with this; $300 to maybe get your data unencrypted, several hours spent recovering from backups or in the worst case… all of your business data.
Surf safely and share the message!
*** UPDATE October 30, 2013 – I’ve come across a second instance in the wild; a potential client that had the infection last week but fortunately had a solid backup routine in place so they were able to recover quickly with minimal damage.