Cryptolocker and its consequences for businesses

January 14, 2015

Survived cryptolocker barely scathed..

Messages like this occasionally make the rounds on Reddit and other social media, albeit most of them are way less optimistic. Ransomware is nothing new, but over the last few years it transformed from a relatively rare problem into a persistent issue. One particular strain – Cryptolocker – reached near epidemic levels. It’s been a year since two real big threads (1, 2) with all known data on Cryptolocker has been gathered and structured. There’s a lot of it, and even more surfaces thanks to a plain search query.

While Cryptolocker only emerged around September 2013, it immediately became somewhat synonymous with “ransomware” in general. Cryptolocker proved to be extremely prolific, aggressive, and damaging. Estimates of the number of infections vary, but it’s safe to assume the figures are in the five or six digits. And while the victims of Cryptolocker are always advised not to pay, even those 1.3% who apparently paid procured, in total, seven to eight digit sums for the Crypto operators. Victims are both businesses and individuals. For the latter, losing data to an encrypting ransomware is dramatic. For businesses, it may spell a total disaster: everything is lost. Especially if there were no backups, or they were located on the very same server that got hit. With Crypto, it is as though there weren’t backups at all.

640

By all accounts, this malware is mean. The attack vector is nowhere unique: Cryptolocker makes its way into the system via a phishing email with a malicious attachment (there aren’t many other ways for malware to slip into the system). It is also well publicized that it’s been pushed directly into the systems taken over by Gameover ZeuS botnet. The botnet was squashed last year via the large-scale Operation Tovar, with some delightful consequences for the Crypto victims. Still, attacks continue from both the original Cryptolocker and its more evolved relatives.

Once it is in, Cryptolocker quietly spreads itself across local hard drives and mapped network drives. And apparently not just there:

Initially, it managed to avoid advanced security solutions and Windows UAC, so the astounded IT workers sometimes discovered the attacks only after the damage was done. Due to technical issues with Cryptolocker itself, it could have a very limited area of effect, encrypting just some obscure drives within the network. It’s worse if Cryptolocker doesn’t announced itself at all, or the “announcement” is missed, like in this case where PDFs and Word files were encrypted weeks before discovery. In that instance, Cryptolocker wiped seven years worth of data.

Encryption, of course, takes a while. Unless it is terminated by turning off the power of the affected system(s), it will successfully complete. And then an offer you can’t refuse follows: Pay up or face thine doom.

“Doom” isn’t an exaggeration. Depending on the amount and value of the encrypted files, this may potentially drive any business out of commission. Imagine an engineering or architecture firm with DWGs files worth years of hard work and vital for doing business, getting Cryptolocked.

A company like that would possibly be willing to pay, even though businesses are charged much more for decryption than individual users. For the very same reason, it is survival of the business that’s at stake – even if there is no guarantee of getting the key, just as it is with the offline extortionists and blackmailers. Of course there is a well-reasoned concern that the decryptor the “company” behind Cryptolocker provides after the ransom is paid may inflict extra damage.

Victims are told to pay in Bitcoin within 72 to 100 hours, or the encryption key will be destroyed. There are also reports that after the first 72 hours have expired, the key isn’t deleted, but the demanded amount of Bitcoin increases fivefold. Both individual users and businesses are facing an extremely displeasing choice: either lose data or submit to the attacker’s demands.

Just like with any other destructive malware (remember those early viruses and worms that could blast all data on your hard drive to shambles?), the only way to mitigate is to recover the lost data from a “cold storage” – i.e. from an offline backup. An encryptor requires processing power to work, so the data in the offline storage is safe even if the malware got there as well. After extracting the backup copy, it is easier to detect and kill the encrypting malware. But this means the business should have the appropriate capabilities and perform backups on a regular basis, preferably automatically – and then not forget the passwords to those backups.

One of the wildest situations I have stumbled upon is a three part saga (1, 2, 3) about an accounting firm which got Cryptolocked. The tech person wiped the server since he had Carbonite backups. But he decided to use a privately managed key instead of letting Carbonite manage it, presumably for extra security. And he failed to remember the password.

“The number of ways he … failed… is truly astounding”, said the post’s author. The tech in question went on to inflict more damage: “…he deleted all the Carbonite backups, deleted Carbonite, forgot the password and can’t install it back.” After this the tech went MIA and couldn’t be reached by phone.

The post’s author made an attempt to recover the password to the Carbonite backups with Hashcat, but judging by the lack of reports of success there weren’t any.

Cryptolocker’s “wings” had been clipped heavily in mid-2014 after the Gameover ZeuS botnet, which distributed Cryptolocker, had been dismantled. A database with encryption keys (still stored!) had been recovered and a free service was launched to help people restore access to their Cryptolocked files. By the way, that dramatic story about seven years of work lost to Crypto had been resolved happily thanks to this service.

Still, there are a bunch of other encrypting ransomware being doled out, even nastier, more dangerous, and more difficult to deal with. And, businesses still seem unable to cope with the older versions of Cryptolocker:

On the bright side, Cryptolocker drew a lot of attention, so businesses now take encrypting ransomware much more seriously than before. This looks like a twisted, but rather benevolent consequence of the Cryptolocker outbreak.