In the last few weeks, and with increasing frequency, our clients have been encountering instances of a new type of malware known as ransomware. The most popular of these, known as Crytpolocker, infects your computer and encrypts your data files on your computer as well as on any network shares you have connected with a drive letter (e.g., F: drive). Victims are advised they have XX hours to submit payment (usually $100 or $300) in order to have their files unencrypted. If this time passes, the “private key” required to decrypt the files is deleted, and files cannot be easily recovered. The warning message looks something like this:
I’m sure you’re wondering how law enforcement authorities cannot follow the payment trail to the criminals ransoming people’s data. It’s likely that international non-state actors are involved and are likely using “Botnets” (http://en.wikipedia.org/wiki/Botnet) to spread the malware. In addition, the payment methods the ransomers are using minimize the risk of their being identified.
How Do I Protect My Organization?
Due to significant variations in the payload, antivirus and other malware vendors have not been able to easily identify and quarantine this software, which has arrived on people’s computers primarily via email attachment, often claiming to be from FedEx or UPS. Besides recovering backups of your files, there is no practical way to recover your encrypted data without paying the ransom. The most practical approach at this time is to a) ensure you have backups of your data files on all drives and shares you are attached to; b) modify your email filters to disallow executable attachments and zip files; and c) educate your users!
Instructions for your users: Do not open attachments from senders who you don’t recognize. FedEx and UPS don’t send emails with attachments! If you do see attachments, do not attempt to open zip files or any executable files, even if they have a name that implies they are a PDF file (another common method).
We have seen multiple variants of this malware already and expect to see more. CONTACT US if you need assistance or advice on mitigating the risk of infection, or if you have already been infected.