0
What value would you place on your data?
Nov 27, 2013 // Uncategorized //

It was October 2013 when the first PC in the UK became infected with the malware Cryptolocker. This nasty piece of malware encrypts your data files then generously offers you the chance to decrypt your files by paying a ransom. Since October it is becoming more and more widespread and is a real threat to UK businesses and home users.

Ransomware is not a new concept but Cryptolocker is the first which uses commercial-grade RSA encryption and seems to have become more widespread than any other ransomware before it. PCs are first infected by a user either clicking a link in an email which downloads the malware or by opening an infected email attachment. At this point, users are still unaware of any wrong doing and continue about their business but something vicious is lurking in the shadows.

Cryptolocker systematically works its way through the users files on the PC, encrypting those it comes across that in can encrypt (20 file types in all, including all of the Microsoft Office document types) but it doesn’t stop there. It will then work its way through any network drive or share continuing on its evil mission throughout an entire enterprise network.

Once Cryptolocker has given itself enough time to cause mayhem it will then display a screen to inform the user that all of their files are now encrypted. Now there has been malware like this before which tells you your files are infected and you must pay up to resolve the issue but the majority of these are basic scams, files are still accessible and all you are paying for is to remove the malware causing the popup telling you to pay to remove the malware! Cryptolocker is different, it has well and truly encrypted all files it could find. At this point you may think that someone somewhere must be able to decrypt your precious data files, but sadly this is not the case. RSA encryption is virtually unbreakable in as much as if you had a few hundred years spare you might get to the point of unlocking maybe just one of your files!

The answer according to the criminals behind Cryptolocker is to pay them to receive the key to unlock your files. The encryption works on a half and half key process. Your files are holding half the key, the criminals the other half. Put the two together and you have a complete key. This is what is called the public key and the private key. You hold the public key, but that is useless without the private key to match up to.

Image

A countdown has begun during which time you have some tough decisions to make. Do you pay to get the key and support the thieves behind this or do you resort to previously backed up files? At the time the above screenshot was taken the ransom fee was $300 but this changes each day and on each infection. The value is based on the online virtual currency Bitcoin. Again, a smart move by those behind Cryptolocker. Bitcoin transfers are untraceable making it harder for authorities to track down where all of these ransom fees are being paid. As a side point those tracking the malware believe it is of Russian origin based on calls to servers during the process. Back to Bitcoin, the value of 1 Bitcoin changes all the time. Cryptolocker charges you 2 Bitcoins to receive your decryption key, a couple of weeks ago this would have cost you around $800. Today it is more like $2,000. Is your data, your company files, your spreadsheets, your wedding photos, your databases worth $2,000 to recover?

Many think they are safe as they have anti-virus and anti-malware installed, but Cryptolocker is finding a way through most major flavours of defence. Others believe that because they use Dropbox or similar, they have a perfectly good back up of their data, a poor mistake to make. Dropbox and its counterparts work on the basis that as a file is changed it is synchronised back to the server. It’s not a back up, just a synchronisation, it monitors change and makes a copy. What do you think constitutes a change, perhaps new encryption against a file? Exactly, Dropbox will see that the make up of a file has changed and so sync that file, therefore overwriting a perfectly good copy on the server with the encrypted version. OK, there are ways out of this by using previous version history but how far back do you need to go and how much data will you lose?

OK so you are stuck, do you pay the ransom? There are varying degrees of success being reported. Some have paid the ransom, received their key and now have full access to their files restored. Others have paid and never heard anything more, still having completely encrypted data files.

There are two key points to make. Firstly backup, backup, backup. Having up to date copies of files is the best way of restoring access to any file. Secondly is user education. The malware cannot inflict itself onto a PC, it has to be put there by a user. If users are smart enough not to click that link to reset their locked banking password or do not open that attachment to see how they claim their £600 tax rebate then the malware cannot get in. The door has to be opened and Cryptolocker invited in.

You have to hand it to the creators of Cryptolocker, it is pretty smart. The genius does not stop at holding the files to ransom. If you manage to remove the malware, your files are still encrypted, you have just removed the cause of the encryption, you also no longer receive the message on how to pay the ransom. Well the creators thought of this too, so they change your desktop background telling you exactly where you can download the malware again to re-infect your PC, therefore being able to now see how to pay the ransom!

Image

Originally once the countdown had ended, it was game over, no chance of unlocking those files now. This too has now changed in that the criminals give you a second chance offer! They tell you which site to go to in order to pay even more cash to unlock your precious files.

Backup, backup, backup. Educate users not to follow unsolicited web links in emails and to not open attachments from unknown senders or from the bank account they never had. Prevention is better than the cure.


Got something to say? Go for it!