I read your article last week and want to know what I need to do to protect my business network from the Cryptolocker ransom scam?
This question was answered on November 8, 2013. Much of the information contained herein may have changed since posting.
As I discussed in last week’s column (Is this the most vicious virus ever?), the Cryptolocker is especially disconcerting for businesses, because any one employee can cause the data for the entire company to be compromised.
The virus typically uses email or social media to trick users with a message claiming to be from FedEx or UPS with a tracking notice for instance. The hackers are posing as commonly used business services because they know that business users work with these companies every day. If you fall for what appears to be a harmless PDF file, you’ll get hit.
Cryptolocker looks for over 60 common data file types on the infected computer and begins to encrypt the files so they are no longer accessible without a special key that they hold hostage until you pay.
If it stopped there, the risk would be localized to that machine, but Cryptolocker then looks for any data on any additional drive letters, such as an external backup drive and locks you out of those files as well.
Business networks commonly incorporate ‘mapped drive letters’ to connect all their employees to a common location for shared data. Accounting files, documents, spreadsheets and all of the usual data that businesses store on servers would be attacked and held hostage.
A typical computer will have a C: drive (the primary hard drive), a D: drive (CD/DVD drive) and an external drive which generally gets assigned the next available drive letter.
A business computer may also have a Z: drive (or any other available letter) that maps to the company server, which is where the real danger starts.
Cryptolocker will go after data files on anything that has a drive letter, so if any ONE employee falls for the trick, everyone’s shared data gets encrypted.
If you happen to have a flash drive plugged into the computer when it gets attacked, even the files on it will be encrypted.
If you use a cloud service such as Dropbox that has a mapped drive letter, those files are at risk as well.
The key to prevention is to continue to educate your employees on the dangers of opening ANY e-mail attachments no matter who it appears to be from and keeping your security updates current.
The key to avoid becoming a victim that has to pay is to make sure you have a backup scheme that includes versioning and avoids using a mapped drive letter to access the backup.
Online backup services like Carbonite are a better hedge against this type of threat because its offsite, doesn’t use a drive letter and incorporates versioning (although your most current backup could be of the encrypted files).
If you have a decent commercial firewall, you can block all .EXE files from ever getting into your employees Inbox.
Removing the virus is pretty simple, but there is no way to decrypt the files without the public key that they hold hostage.
They recently updated their ransom demands so if you don’t pay the $300 ransom within three days, it goes up to $2200.
Some have reported that paying the ransom did properly decrypt the files, while others are reporting limited recovery or nothing at all. Paying the thieves also encourages them to continue their devious plot, so make sure you’re protected before it hits your business.
About the author
Posted by Ken Colburn of Data Doctors on November 8, 2013