Avoid Hackers Holding You To Ransom

In the past month yet another insidious malware has emerged to scourge the Internet. A few months back, it was Heartbleed. This time, it’s the “CryptoLocker” attack. CryptoLocker is a great example of how high-tech villains can get really creative in their efforts to gain riches.  Criminal hackers have turned to the crime of ransom. No, they are not going to kidnap your children. Their intention is to kidnap all your business data.

They do this by sneaking in a special bit of malware that will encrypt all of the data on your computer: all your important documents, your accounts, your customer records, work orders… everything! This effectively renders all the files on your computer and on your network useless. And here is the clever part that makes this ransom more than just malicious vandalism:  if you pay them within three days, they will give you a special key which will decrypt everything and restore your files to their pristine condition. After the three days, forget about it… your files are gone!

This link provides a good overview of CryptoLocker:

Luckily, I’m best mates with a security expert, and he provided me with some really interesting insights to CryptoLocker.  I’ve tried to turn his rather technical mumbo-jumbo into human understandable language, and more importantly, provide practical ideas that you can do to protect yourself, or at least prepare for the worst.

First, it is important to understand that the CryptoLocker malware is constantly being upgraded.  This means that even if you have antivirus software, there is still a chance (albeit a much, much smaller chance) of becoming a victim of CryptoLocker. Even the antivirus

companies such as Avast and McAfee point out that they are, by their very nature, reactive and therefore can’t guarantee that they will always be ahead of the hackers.  That said, your first line of defence against CryptoLocker is to have a commercial grade antivirus product installed and constantly update. Because CyptoLocker only needs to infect one computer on your network to hit files on shared network drives, it’s important to be sure that every computer is protected with antivirus software, and kept up to date.

Also, do not get hung up about which antivirus solution is the “best”, because all vendors are putting a lot of effort into nabbing CryptoLocker, and therefore all products will give you the same level of protection in this case.

RECOMMENDATION: Ensure that EVERY computer that is connected to your office network is running an up to date anti-malware solution, such as Symantec, McAfee or Trend Micro

It’s also important to understand how CryptoLocker can get onto your computer. CyptoLocker is pretty unique in that it starts off the attack by sending in a very small program that scans your computer for known weaknesses. Once it finds a chink in your computer’s armor, it downloads additional malware to take advantage of that weakness and eventually take control of your system. It’s a bit like a scout infiltrating an enemy base to get the plans, so the army can invade!

Understanding this is important for two reasons. First, it lets us know that we have to be on the lookout for the scout: that first bit of software which can only sneak into our computer if we are unobservant.  Secondly, it stresses just how important it is to lock down all of our defences: in this case, it means ensuring that the Windows operating system and applications – especially Adobe’s products – are patched as soon as possible.

The CryptoLocker scout’s main attack vector is fake emails with links to compromised websites. These emails appear to be from companies such as UPS, FedEx or Tax services. However, it has been reported (unconfirmed) that people are also getting emails from a friend. When you click on these emails’ links (which may also be inside Word or PDF document, or some other interesting file) you effectively open the door to that dastardly scout! Unfortunately, Google’s email scanning and some antivirus tools do not catch CryptoLocker when it is sent via and email link, so you need to be alert!

RECOMMENDATION:  Do not open emails, or click on links in emails, unless you are 100% sure they are genuine.

As mentioned above, CryptoLocker can sneak into your computer via an infected website. This is particularly an issue with International (especially Chinese) websites and porn sites, since many (up to 30% by some estimates) of web servers in developing countries are un-patched and open to hackers.

RECOMMENDATION: Be very careful about which web sites you visit. If you do need to search high-risk sites, consider using an iPad or Android tablet, which is immune to CyptoLocker.

Another option is to install the special ‘safe-browsing sandbox’ software, which may be included with your anti-malware software. Avast Internet Security has this feature.

One of the great things about criminal hackers is that they are lazy (but really, really smart.)  This means that they will only target the most common weaknesses.  The CyproLock scout is no different. Once it is in your computer, it will look for well-known and easy to exploit weaknesses, namely unpatched Adobe and Microsoft software and unpatched Windows.  When it finds an unpatched bit of software it uses that to open the games, then calls in the army that causes all the real damage. Therefore, it’s more important than ever to ensure your computer remains updated with the latest patches.

RECOMMENDATION: Ensure that all Windows-based computers and software (especially Adobe Reader and Adobe Flash) are patched as quickly as possible. Microsoft and Avast have tools which will help in that regards. Unfortunately, bandwidth for patches and updating is a serious problem for some rural businesses. This is one example of where poor broadband infrastructure is putting small business at a serious financial risk.

As noted previously, CrypoLocker is evolving fast. And now this type of threat is out, there will be even more devious copy-cats. Which means that even when you take precautions, you still need to prepare for the worst.

The best defense is to have all files backed up off-site, perhaps with a service that offers ‘incremental backups’ such as Crashplan.  Incremental means that even if your files get encrypted and then automatically backed up, you can still go back in time – from a few days to weeks or even months – to find the versions that were not yet encrypted.

RECOMMENDATION: Subscribe to an automated cloud backup program which includes the option to incrementally store past versions of your files. In Australia, Crashplan is a good option, as it has an option to back up ten computers (perfect for small offices) for about $10 a month.  And if you do need to recover your files, you can order a door-to-door recovery disk from CrashPlan for about $160, so you do not need to wait for your backup files download – so you can get back to work quickly.

Interestingly, the cost of restoring Crashplan is about $160, and the cost of paying off the hackers is about $300. So while back-up is cheaper, it  is tempting to simply pay the ransom: it seems easier, faster and reliable… and that is exactly what the criminals want you to think. However, I encourage you to resist that temptation. First of all, it may be technically illegal to pay them. It’s a bit of a grey area, and though I’m not a lawyer, it is illegal to pay extortion in Australia. Secondly, paying them encourages more of this behavior, and gives the criminals more money to invest in new attacks.

RECOMMENDATION: You should have a discussion with your management to determine your plans should you be attacked. Your starting point should ALWAYS be from what is legal and what is morally acceptable. Most security people stress that you should not deal the hackers, and instead plan how your would restore your computers manually, from external backups. The reason why you should have that discussion now, rather than waiting until your systems are attacked, is that you will have more than enough stress should that happen. Write down an action plan for an cyber-attack, and, better still, practice it.

If you do not think CryptoLock could happen to you, don’t be fooled. There is big money in this new attack. The BitCoin wallet, where some of the payments are going, reportedly has over US$45 million already. And that is probably just a fraction of their total takings. Of course, the hackers’ ability to get the money out of this account without being traced, remains to be seen, but given the sophistication of the attack and the money involved, it’s likely they will have some pretty powerful resources. My guess is that some of the gang will be caught, but others will not be picked up and will renew this sort of scam in the future, even once it is shut down.  Big money, big (well-organised) crime, low risk.  So this sort of crime is here to stay. We gotta live with it. Get yourself prepared.