CryptoLocker Ransomware – are you protected?

Trend Miicro CryptoLocker Ransomware Official communication was sent out a couple of weeks ago by Trend Micro warning its customers against Ransomware gaining momentum. The alarm was sounded that the vicious malware Cryptolocker which encrypts your files until you pay a  ransom is spreading its Ransomware wings and infecting dozens of computers lately. So how do you prevent falling victim to this malicious software?

The best form of defence against TROJ_CRILOCK is prevention. Keeping antivirus software up to date is crucial and as stated by Trend Micro It is “highly recommended to enable Behavioral Monitoring and Web Reputation in the environment to prevent the spread and protect those that are not yet infected, as well as attachment blocking to reduce the introduction of the malware within the environment” It has been proved that computers that are already infected by malware are more prone to infection by Cryptolocker. To read more about best practices in configuring OfficeScan and Worry-Free for this threat, please see here: http://esupport.trendmicro.com/solution/en-US/1099423.aspx

Aside from not getting infected in the first place, the next best thing to mitigate the effects of CryptoLocker ransomware is to create backups of important files. Backup drives that are physically connected to the infected computer or via the local network may get encrypted as well so isolated backups are recommended. Cloud Solutions such as Datafortress http://www.bluesolutions.co.uk/datafortress will ensure that you can retrieve your files if you happen to get infected.

Once your data has been encrypted with Cryptolocker, nothing can be done aside from you paying the ‘ransom’ to the attackers or reinstall your entire machine from scratch or a pre-infected backup. The reason for this is that CrytoLocker generates an extremely large 2048-bit RSA public and private key pair which is impossible to decrypt. It is uploaded to the server after attempting to connect to a command-and-control server. The public key is stored on the computer, the private key is stored on the command-and-control server. Ransom is demanded to recover the key and decrypt files with a threat to destroy the private key and lose your data forever if not paid in a specified time frame.

Prevention is better than cure! The choice between paying the cyber criminals (who knows what they will come up next once they have the money to ‘fund’ their ‘R&D’) or re-installing your computer should not be an ethical dilemma. If you have the right software in place you can prevent infection and should the worst happen a cloud backup solution will give you the ability to restore the computer and retrieve your data from an off-site server.

 

Screenshot of spam with malicious attachment
Screenshot of spam with malicious attachment
Once this attachment is executed, it downloads another file which is saved as cjkienn.exe (detected as TSPY_ZBOT.VNA). This malware then downloads the actual CryptoLocker malware (detected as TROJ_CRILOCK.NS).