Over the last few weeks, system administrators and interested parties alike have followed the growing flood of information on the newest variant of ransomware, CryptoLocker. The reports of private and mission critical files illegally encrypted and held for ransom have inundated the forums and helplines of corporations and technology companies. The options available to those users who are infected by CryptoLocker are simple; you recover your files with a clean backup, you pay the criminals to decrypt your files, or you simply forget the files ever existed and go on with your life. That is it. There are no other options. CryptoLocker is the real deal.
What is Ransomware?
We all know the usual suspects when it comes to malicious software: Trojans, botnets, malware, spyware, the list goes on. Ransomware may sound like a new variant, but it has been around for some time now.
In a ransomware attack, infection happens through the opening of an executable file, which in turn installs the malicious code or begins the download and installation. Once the malicious code has been installed on the target system either specific files are encrypted, access to the computer is restricted, or fake threatening messages are posted on the system. The user is then informed that a payment must be made to make the problem go away.
Why Is CryptoLocker Different?
The main difference between previous ransomware attacks and CryptoLocker is the focused nature and finality of the attack. First, the program targets very specific file extensions, including Office file extensions, Open Office, PDFs, and other high priority file extensions that usually contain sensitive or private data. These files are then encrypted with a public RSA 2048-bit key encryption. After the files are encrypted, the program then displays a notification informing the infected user that they have a specific length of time, usually four days, to remit payment through a specified anonymous payment system.
The second major difference of CryptoLocker and other previous ransomware attacks is the finality of the deadline and threat to system files. If the payment is not received in the required timeframe, the encryption key is deleted and access to the files is lost forever. The use of RSA 2048-bit key encryption guarantees that the files will never be brute-force decrypted. The only options are to pay, recover from backups, or walk away and forget the files ever existed.
Is CryptoLocker-proofing Possible?
Protecting a system from CryptoLocker is a relatively simple process for novice users.
First, refrain from opening attachments from anyone unless the file is easily identifiable and expected and then, only when you have looked at the full file name. CryptoLocker uses a default function of the Windows operating system to hide the infected executable in plain sight as a PDF file. Do not be fooled by your system and look closely.
Second, make sure that you keep up-to-date backups of all important files in a cloud or offsite location. CryptoLocker encrypts files on all attached and mapped drives as part of its attack, so backups have to be remote to fend off infection. Reports suggest that the backup service of Carbonite provides file recovery services that allow for version control of files. Some data may be lost in recovery, but the loss of a few files compared to the loss of all important files is an easy choice to make.
Lastly, invest in an adequate anti-malware or virus protection program. Many programs have issues with catching the infection of a system by CrytpoLocker prior to the encryption step. However, it has been reported recently on several popular sites, like Reddit, that Malwarebytes Antimalware Pro and both Avast! Free and Pro stop the CryptoLocker program from running. Other programs should take notice in the coming days and provide equal levels of protection, but at this time, these are the only three confirmed.
Final Thoughts On CryptoLocker
The most startling aspect of the CryptoLocker epidemic is how widespread the infection has become when compared with the ease at which a user can protect their system from infection. The most basic and commonly repeated axiom in personal PC security is to never open an attachment that you do not expect to receive or know the full file name of, and never open an executable file as an attachment. If this simple step is taken, there is very little chance of causing the infection yourself.