In September, we explained what cryptolocker was and suggested ways to avoid being held to ransom. Since then, we have been approached by a number of organisations that have been affected by this breed of ransomware looking for help. Given the scale of the issue that the industry is facing, we thought it might help others if we shared the 10 steps that we take to help prevent cases of cryptolocker on the networks that we manage.
What is Cryptolocker?
Cryptolocker is a form of ransomware. Ransomware is malware that encrypts your files, preventing you from getting access to them, before extorting money from you in exchange for a promise to unlock them.
How does Cryptolocker Work?
- The main delivery method is email, but you can get infected from downloads, files brought into your organisation on a removable device, or from malware already present on your network.
- Once infected, the ransomware installs itself and then sets itself to start every time the machine is switched on.
- Once installed, it contacts the server operated by the criminal organisation and identifies itself using a unique ‘handshake’. The server then creates two cryptographic keys, one for the infected machine and one for the server.
- When the keys are in place, the program goes about encrypting all files with the most popular file extensions on the infected machine. Files on shared drives, backups, attached storage devices etc are all encrypted.
- Following encryption, a screen is displayed advising you that you have a set amount of time to pay a ransom to unlock your files (generally 3 days). If a ransom isn’t paid, the threat is made that the server will destroy its’ key, thereby making it impossible to unencrypt your files.
10 steps to protect your business against Cryptolocker:
- As general good practice, ensure that your anti-virus software is active and that your definitions are up to date. Anti virus software is getting better at detecting cryptolocker, but the software is only effective if it catches the ransomware before the encryption occurs.
- Make changes to your Group Policy, creating a new Group Policy Object (GPO) for each restriction policy, testing the policy in a local environment before applying it across your organisation. You may find that some legitimate applications are blocked, so you may have to create ad-hoc allow rules until you reach a point where all users have the ‘whitelisted’ applications that they legitimately need for their role.
- Upgrade all desktop operating systems to a business edition of Windows, such as Windows 8.1 Enterprise. You need to be running a business edition in order to deploy Windows AppLocker, described in greater detail in step 5.
- Upgrade all servers to Windows Server 2008 R2 or later. Again that is to allow you to deploy and manage Windows AppLocker.
- With the supporting desktop and server infrastructure in place, Windows AppLocker can then be deployed. Windows AppLocker is a software restriction policy tool that allows you to further specify which users or groups can run particular applications in your business, based on rules that you define. Windows AppLocker allows you to control a vast array of applications, such as executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp) and DLL files (.dll and .ocx).
- Review your user permissions and tighten up wherever you can. Cryptolocker can not override deny permissions, so if one of your users gets infected using an account with limited permissions, the damage caused will be minimal. Ensure that no none of your users have local administration rights unless absolutely necessary.
- Examine your Firewall. You need to block all outbound traffic on ports that you do not use, introducing firewall rules to prevent IP addresses in the URL and blocking access to . A particularly strong solution is available that is a file reputation, behavior and sandbox technology. Using a cloud-based security intelligence network, the ability to detect and block malware using sandbox technology is improved. Any known malware is automatically blocked, with suspicious files being placed in a isolation to be tested before infection can occur.
- Implement organisation wide user training. Security awareness training is one of the most effective ways to protect yourself against cryptolocker. As email is the most common method of delivery, training your user what to do in order to identify a fake email will go a long way in protecting you from infection. Your spam filter won’t be able to block everything, so it is important that your users become a reliable part of your defense.
- Introduce File Screening, creating file screen groups to help detect known cryptolocker file names such as “decrypt_instruction*.*”, “help_decrypt*.*”, “install_tor*.*” etc, setting up passive screening and alerts should any of the above file names be detected. This step may not prevent cryptolocker from striking, but it will hopefully allow you to contain any outbreak before it becomes business affecting.
- Having a secure, tested, off-site backup of your data is imperative. With a regular (preferably daily) backup being made and with the ability to keep a history of incremental revisions, you will at least be protected and able to roll back should you need to. Our ideal backup solution ensures that you have three copies of your data kept on at least two different media types, with one of those held at an offsite location.
Cryptolocker has been very disruptive and has, from a criminal’s perspective, been very successful. As such, we expect to see many more ransomware strains to be deployed over the coming months.
We will over the coming weeks go over some of the steps above in much greater detail.
Need to know more about Cryptolocker or need expert help with your defenses? Start the conversation by phoning us on 0333 123 0360 or by contacting us online.