|
CryptoLocker
Security Advisory: CryptoLocker
ITG Security is releasing this special advisory to warn of a significant piece of malware that has been impacting individuals and organizations around the globe.
Known as CryptoLocker, the software belongs to a class of malware known as ‘ransomware’. Ransomware infects computers with the ultimate goal of extracting a ransom from an individual or company in order to remove the software and/or its effects. However, unlike many other ransomware programs, CryptoLocker is very well constructed and files on the target system have very little chance of being recovered without the company or individual paying the requested ransom. As such, CryptoLocker is one of the most impactful pieces of malware observed by the information security industry in a long time.
What Systems Are Vulnerable To CryptoLocker?
CryptoLocker targets Microsoft Windows-based operating systems including Windows XP, Vista, Windows 7 and Windows 8. It is highly likely that Microsoft server-based operating systems are vulnerable as well; although the risk should be reduced as web browsing and checking e-mail are typically not conducted from server-based operating systems.
How Are Computer Systems Becoming Infected?
Reports indicate that systems are being infected by socially engineering users to open infected e-mail attachments (typically disguised as FedEx or UPS tracking e-mails) and/or visiting malicious websites utilizing a vulnerable web browser.
What Happens When A System Is Infected With CryptoLocker?
Once a system is infected, CryptoLocker searches all attached drives (including network shares) and encrypts all files associated with specific file extensions, in particular those associated with office automation software, such as .doc, .pdf, .xls, etc. These files are encrypted utilizing a 2048-bit RSA encryption key pair with the public key being sent to the infected machine. A message window then pops up on the infected machine with a timer demanding a ransom be paid within 72 hours or the corresponding private key will be destroyed and the files lost for good.
Given that the software will encrypt files found on network shares, a single infected workstation can cause files located throughout a company to become encrypted and unusable.
If I Become Infected Will My Files Be Decrypted If I Pay The Ransom?
Initially, the ransom request was $300US; however, variants of this malware are now requesting upwards of $3500US. Reports indicate that ransom payments have been honored in some cases but not in others, so paying the ransom is not a guarantee that the decryption key will be provided.
How Do I Protect My Company and Myself?
Although there are no 100% guaranteed methods of preventing your organization from being infected by CryptoLocker or its variants, you can greatly reduce your risk by following the below recommendations:
• Ensure you are security aware and do not open e-mail attachments from unknown sources and/or attachments from known sources you are not expecting.
• Do not click links in email messages.
• Users should also exercise caution in the websites they visit as a system can be infected simply by visiting a malicious website.
| 