How to use CryptoLocker

What is CryptoLocker?

CryptoLocker is by now a well known piece of malware that can be especially damaging for any data-driven organization. Once the code has been executed, it encrypts files on desktops and network shares and “holds them for ransom”, prompting any user that tries to open the file to pay a fee to decrypt them. For this reason, CryptoLocker and its variants have come to be known as “ransomware.”

Malware like CryptoLocker can enter a protected network through many vectors, including email, file sharing sites, and downloads. New variants have successfully eluded anti-virus and firewall technologies, and it’s reasonable to expect that more will continue to emerge that are able to bypass preventative measures. In addition to limiting the scope of what an infected host can corrupt through buttressing access controls, detective and corrective controls are recommended as a next line of defense.

Cryptolocker can enter through

FYI, this article is CryptoLocker specific. If you’re interested in reading about ransomware in general, we’ve written A Complete Guide To Ransomware that is very in-depth.

What Does CryptoLocker Do?

On execution, CryptoLocker begins to scan mapped network drives that the host is connected to for folders and documents (see affected file-types), and renames and encrypts those that it has permission to modify, as determined by the credentials of the user who executes the code.

CryptoLocker uses an RSA 2048-bit key to encrypt the files, and renames the files by appending an extension, such as, .encrypted or .cryptolocker or .[7 random characters], depending on the variant. Finally, the malware creates a file in each affected directory linking to a web page with decryption instructions that require the user to make a payment (e.g. via bitcoin). Instruction file names are typically DECRYPT_INSTRUCTION.txt or DECRYPT_INSTRUCTIONS.html.

As new variants are uncovered, information will be added to the Varonis Connect discussion on Ransomware.  For example, a variant known as “CTB-Locker” creates a single file in the directory where it first begins to encrypt files, named, !Decrypt-All-Files-[RANDOM 7 chars].TXT or !Decrypt-All-Files-[RANDOM 7 chars].BMP.

How to Prevent CryptoLocker

The more files a user account has access to, the more damage malware can inflict. Restricting access is therefore a prudent course of action, as it will limit the scope of what can be encrypted. In addition to offering a line of defense for malware, it will mitigate potential exposure to other attacks from both internal and external actors.

While getting to a least privilege model is not a quick fix, it’s possible to reduce exposure quickly by removing unnecessary global access groups from access control lists. Groups like “Everyone,” “Authenticated Users,” and “Domain Users,” when used on data containers (like folders and SharePoint sites) can expose entire hierarchies to all users in a company. In addition to being easy targets for theft or misuse, these exposed data sets are very likely to be damaged in a malware attack. On file servers, these folders are known as “open shares,” if both file system and sharing permissions are accessible via a global access group.

Although it’s easiest to use technologies designed to find and eliminate global access groups, it is possible to spot open shares by creating a user with no group memberships, and using that account’s credentials to “scan” the file sharing environment. For example, even basic net commands from a windows cmd shell can be used to enumerate and test shares for accessibility:

    • net view (enumerates nearby hosts)
    • net view \\host (enumerates shares)
    • net use X: \\host\share (maps a drive to the share)
    • dir /s (enumerates all the files readable by the user under the share)

These commands can be easily combined in a batch script to identify widely accessible folders and files. Remediating these without automation, unfortunately, can be a time-consuming and risky endeavor, as it’s easy to affect normal business activity if you’re not careful. If you uncover a large amount of accessible folders, consider an automated solution. Automated solutions can also help you go farther than eliminating global access, making it possible to achieve a true least-privilege model and eliminate manual, ineffective access-control management at the same time.


Update September 2018: Ransomware attacks have decreased significantly since their peak in 2017. CryptoLocker and it’s variants are no longer in wide distribution, and new ransomware has taken over. Ransomware has evolved as more of a targeted attack instead of the previous wide distribution model, and is still a threat to businesses and government entities.


 

Comments

Post a Comment

Popular posts from this blog

How to make tea

Image
  It is one of the most popular hot beverages in world and especially in India. A cup of milk tea (chai) in morning gives refreshing feel and put you on track of long hard day. It can be prepared with milk or milk powder and various types of plain or flavored tea powders. This recipe prepares Indian tea using milk, sugar, tea powder and water. Preparation Time:  2 minutes Cooking Time:  10 minutes Serves:  2 servings (2 cups) Print Recipe Cooking Measurements Ingredients: 1 cup (250 ml) Milk 2 teaspoons Tea Powder 1/4 cup (approx. 60 ml) Water 3 teaspoons Sugar Directions: Boil water in a saucepan. Add sugar and tea powder in it and boil it for 3-4 minutes on medium flame. Add milk and boil it over medium flame for 6-7 minutes or until bubble starts to rise. You will see the change in color of the tea from milky shade to brown shade when it is ready. Turn off the gas and strain tea in cups.
Read more

Latest business idea

Image
  These great business ideas offer opportunities for entrepreneurs who are looking to start something new, whether you’ve run a business before or are looking to launch your first company. Many of the best small business ideas involve an online business model. Choose a business idea that you are knowledgeable and passionate about, and develop a detailed business plan. Before starting a business, determine if there is a demand for the product or service you want to provide. This article is for anyone looking for inspiration to start a business. If you are  thinking about starting a business , you should be considering whether your idea fills a need in the way people live their lives and approach their work. If you can identify an unmet need and a target market, then you might just have a business idea with legs. But how can you come up with a good idea in the first place? This list of business ideas includes 26 great types of business to help you find success.  great small business idea
Read more