The unleashing of a particularly nasty piece of malware, Cryptolocker, to the online community is occurring at an alarming rate.
Not only does this new breed of malware infect computers by email – the traditional route for ransomware, it has also been engineered to exploit existing security holes and even piggyback itself onto other known intruders such as Zeus.
A blog post on November 26th by Brendan Blevins, Assistant site editor of TechTarget (http://searchsecurity.techtarget.com/news/2240210012/CryptoLocker-ransomwares-professional-execution-ups-the-ante) highlights the issue in more detail:
Ransomware attacks have been around for seemingly as long as the field of information security itself, but for the most part, they’ve been labelled as a nuisance more so than as a true threat. A recent ransomware iteration called CryptoLocker may be changing that perception one infection at a time.
Ransomware encrypts data on a victim’s machine and then demands a ransom be paid for access to the decryption key. In many cases, authors of ransomware will pose as federal authorities or law enforcement officials and will accuse victims of violating laws in the hopes that such actions will make them more likely to pay.
CryptoLocker falls firmly into this category, though without the façade of legal authority. According to an alert issued this month by US-CERT, it infiltrates victims’ machines via malicious emails. Once a machine is infected, CryptoLocker searches for files to encrypt in a number of locations — including external hard drives, USB sticks and even shared network drives — and sends the private encryption key back to the attackers’ command-and-control server.
When originally uncovered in September, the CryptoLocker authors required payments be made within three days and only via the Bitcoin digital currency. They have since made adjustments to their demands, seemingly in an attempt to maximize their profit, including opening up payment options to include MoneyPak and making the pay-by date more flexible, though with escalating costs. Reportedly, the rising value of Bitcoins also forced a readjustment in prices. Without payment, though, the figures behind CryptoLocker threaten to delete the decryption key, leaving victims’ data locked forever.
Dan Hubbard, chief technology officer of San Francisco-based OpenDNS, recently noted that there are several noteworthy aspects to CryptoLocker.
Hubbard noted that it was fairly trivial to decrypt ransomware in the past — if encryption was even actually used. Security researchers would often reverse-engineer the code and provide decryption algorithms to customers. In contrast, Hubbard said, CryptoLocker’s encryption capabilities are “pretty sophisticated.”
In addition to the choice of encryption algorithms, CryptoLocker’s use of domain generation algorithm also poses unique challenges to defenders trying to take down its networks, according to Hubbard. He claimed that CryptoLocker has around a thousand domains coming online every day that serve the encryption keys. Enterprises in particular should be concerned over the constantly changing domains, he noted, because this nullifies the effectiveness of reputation-based security systems.
Hubbard also said CryptoLocker’s binaries are changing frequently, leaving signature-based antivirus “continually behind.” Whitelisting may be a little more effective, but such technologies aren’t as widespread, he said.
To spread its reach, CryptoLocker is also taking the unique approach of utilizing other bot networks such as Zeus, Hubbard said. This means machines already infected via another attack campaign can then download and run the CryptoLocker encryption code.
Up to now the most effective defence against CryptoLocker is the good old fashioned back-up, done regularly, tested for integrity and stored safely.
Strong security policies covering emails, BYODs and the ubiquitous USB stick are now vital, as is staff awareness sessions.
Just when you thought it was getting safer ‘out there’!