To start, CryptoLocker is a ransomware Trojan that encrypts a computers drive. Once the drive is encrypted, the data files resident on the system are no longer accessible to the rightful owner of the data. The criminals behind this Trojan then demand an extortion payment to the decrypt the data. An infected system has one of two choices at this point – pay the extortionist or recover data from the most recent backup.
What is making CryptoLocker a real problem lately?
The CryptoLocker ransomware Trojan has been creating serious problems for some time but recently the criminals behind the enterprise have changed their approach. The recently documented attacks are a blend of social engineering combined with traditional malware/virus code. The original infestations largely occurred by way of email attachments or web page exploits.
The most current cases include two elements. The criminal calls an unsuspecting employee or person and tells them that a reputable organization (a bank, accounting firm, etc.) will be sending them an email. This builds trust with the target of the crime. The criminal then sends an email with a word document that is unreadable. It instructs the recipient to click on a macro if the document is unreadable. This macro initiates a web call and downloads the malware. At this point, the infection has begun. Unfortunately, since the executable is generated from what appears a trusted source the standard antivirus software, antimalware software and firewall installations treat the traffic a legitimate.
What can be done?
- Be aware. Notify employees of the potential risks. The best mitigation for socially engineered attacks is employee behavioral training.
- At your unified threat gateway (ex. Fortigate) enable deep SSL inspection and enable data leakage prevention (DLP) to block outbound executable calls. Please note, this process should stop all incoming executables. But, it may require more IT intervention because in protecting against unwanted intrusions it will block some needed functions.
- There is hope that Microsoft will offer an update to Office that will block macros from initiating executable content.
If you have questions about CryptoBlocker or any IT related issue please speak with your Digicorp engineer or account manager.