Recently, I’ve had to fight multiple incidents of the CryptoLocker ransom-ware infection in the my corporate infrastructure. As a result I have been researching the threat on my own. I am including a high level overview of the threat and also possible approaches to mitigation of the threat going forward.
CryptoLocker first appeared in early September, 2013. When a computer becomes infected with this malware, user files are encrypted using very good encryption techniques. Files targeted by the encryption process are located on both the local system drive and any other drives connected to the computer that have a drive letter assigned. This includes locally attached USB drives and network drives mapped through a login script. At this time there is no evidence of the malware encrypting files through UNC paths. (ex. \servername.domain.comdatafolder) Once files are encrypted, the key required to decrypt the files is stored on a secret command and control server on the Internet. The malware will display a screen indicating that payment is required to decrypt the files and a countdown timer. There is currently no known way to decrypt the files without paying the ransom and using the associated decryption within the malware itself.
The infection is generally spread through emails pretending to be from someone like FedEx, UPS, or DHS. (Others as well, I’m sure) The emails contain a zip attachment that infects the computer when it is opened. The PDF files contained in the zip file are actually executable files disguised to be PDFs. It should be noted that we have Office 365 configured to strip attachments like this off of incoming email messages, so it is likely that personal email access would be a bigger threat in our environment.
Many in the industry are paying the ransom to regain access to their files. This has met with mixed results. Law enforcement is constantly shutting down command and control servers as they are located. When this happens, the keys stored on that C&C server are lost and decryption is not possible even though payment has been submitted to the malware author.
If payment is not an option, or if payment was submitted and the associated C&C server has been shut down, the only recovery method is to restore data from backup. This is the approach that has been taken by my organization, however the restore from our centralized tape library has been painful to say the least. Restoring gigabytes of data from this library takes a long period of time because so many tapes are involved in the restore. Also, to prevent WAN impact, the data has typically been restored to a server in the local datacenter and then shipped to the remote location and synced to the server once onsite. This process can take days from beginning to end. Restoration to our DFS infrastructure is much less painful and also much faster because backups are cached on disk and tape mounts are not required.
According to my research, all of the antivirus companies are struggling to properly detect and mitigate this malware. Because it has been so profitable, it is changing slightly on a daily basis. This means that antivirus DAT files cannot keep up.
Security experts are proposing safe computing practices as the primary form of infection prevention. Alternately, there are group policy settings that can be deployed in an enterprise environment to help deter the infection as it stands today. Because this malware is changing so rapidly, these group policy settings may be invalid within days.
My recommendation is to send out a company-wide notification with a basic overview of the current threat. This communication should also include recommendations for safe computing. Organizations should also investigate the deployment of the group policies, but I am not certain that the payback for that effort would be worth it because of the potential that the threat will mutate to bypass those restrictions.
A final note: OSX and Linux are not currently targeted by this malware. If you have access to systems running those operating systems, I would recommend using them to review your email. Another option would be to have a virtual computer configured with only Internet access and no access to any other data. Keep a good snapshot of this system so that if it becomes infected, you can revert to the snapshot and no data will be lost.
Following are links to the main resources I have been using in my research. I have also listened to a couple of podcasts from Steve Gibson, a big name in the computer security field.
Bleeping Computer (acknowledged as the best resource for this on the Internet): http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information