Cybercriminals will always find new ways to profit from malware. While target malware is certainly prevalent, targeting as wide an audience as possible is still the best way for attackers to make the most money possible.
One particular form of malware, called ransomware, has proven to be quite lucrative for cybercriminals. The latest strain of virulent ransomware, called CryptoLocker, is of particular concern due to its success at infecting computers. Where people once paid someone to clean malware off their computers, with CryptoLocker, they are now also facing the additional cost of paying a ransom to get their sensitive data back.
In this tip we'll discuss how the CryptoLocker ransomware works, why it is different from traditional ransomware and what defenses enterprises should put in place to protect themselves from the threat.
The CryptoLocker ransomware
Ransomware is a type of data-kidnapping malware designed to extort the data owner into paying the criminal to recover files.
The concept is simple: Ransomware infects a computer, seeks out certain types of data based on attributes -- file types, location, among others -- and encrypts it surreptitiously using keys known only to the attacker. The victim is given a choice: Pay the attacker to unencrypt the data or lose it forever. Attackers also demand their victims not inform law enforcement or risk losing the data permanently. Not surprisingly, the majority of ransomware has targeted businesses because the consequences of losing corporate data are higher than consumer data, therefore the potential for payout was more likely.
First seen in 1996, ransomware has historically been less common than other types of malware because it was difficult to monetize consistently. Attackers often struggled to maintain command-and-control systems to issue commands to the ransomware and it was difficult to extort a payment and remain anonymous.
However, ransomware has evolved. CryptoLocker is different from other ransomware because it uses modern attack techniques, such as delivering malware via an exploit kit on compromised websites. It also uses encryption that is implemented so securely that malware researchers can't reverse-engineer it. Additionally, CryptoLocker encrypts data not only on the local system, but also on removable media and network shares. Attackers using CryptoLocker also use servers on the Tor network to distribute keys. This helps prevent the malicious activities from being traced back to the cybercriminals.
The cybercriminals behind CryptoLocker have evolved the payment process as well. They let their targets pay by a variety of alternative channels like MoneyPak and Bitcoin. They also give their victims longer to pay so they can achieve greater profit from the cybercrime. While the use of Bitcoin and Tor for anonymity help the malware authors improve their profits by making it harder for law enforcement to shut them down, ransomware could just as easily use a botnet to hide connections and money mules to transfer payments. Tor and Botcoin make this process easier and less risky for a cybercriminal.
Fortunately, defending against CryptoLocker doesn't require new technology. The most important enterprise protection against CryptoLocker and other ransomware is good, reliable, tested and current data backups. These backups should be offline or protected from unauthorized deletion.
If your enterprise does not conduct regular backups of high-value data, business continuity and disaster recovery planning must be updated immediately to address this shortcoming. Being able to recover valuable encrypted or deleted data can minimize the impact of a ransomware attack; suddenly it's no longer necessary to pay a ransom when the affected machines can simply be wiped and restored from backups. Unfortunately, up-to-date backups that are either offline or highly protected from unauthorized deletion are not universal in the modern enterprise, so as long as cybercriminals continue to achieve a significant profit, their motive for ransomware will not wane.
While there are other enterprise defenses that can provide organizations defense in depth protection, without good backups in place, these protections provide little defense against ransomware. Implementing strong antimalware, whitelisting and patching will help protect individual endpoints, but not the file shares that have been targeted by CryptoLocker.
Another less popular option is for an enterprise to prevent infected endpoints from connecting to its network and file servers. Enterprises could also carefully manage file share permissions to prevent file share data from being encrypted and deleted. However, both of these strategies require significant infrastructure in place that is not currently common.
Due to the strong profits from ransomware and the rapid development of CryptoLocker, it seems unlikely that the number of these infections will decline. A decline will only come as more enterprises implement secure, recurring data backup processes that offer the necessary insurance against worst-case scenarios involving ransomware.
The rising cost of insecure systems should convince enterprises to use or request secure systems that are less prone to malware. The fact that the cost of ransomware is shouldered directly by the targeted individual or enterprise and not by the endpoint on the other side of a spam, phishing, DDoS or other attacks, might change some people's behavior.
About the author:
Nick Lewis, CISSP, is the information security officer at Saint Louis University. Nick received his Master of Science degree in information assurance from Norwich University in 2005 and in telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and at Boston Children's Hospital, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.