Virus Alert: CryptoLocker + How To Protect Yourself

Welcome to the first installment of the new SisAdmin blog! Keep an eye on this space in the coming months for lots of useful information to help your technology work for you.

The first topic we’d like to bring to your attention is CryptoLocker, one of the most serious malware types out there today, which can dramatically impact your business should you experience an infection. CryptoLocker and its variants, a type of virus known as ‘ransomware’, are becoming more and more widespread across networks with each passing day. These viruses are able to evade commercially available virus and malware protections due to their ability to exploit legitimate, trustworthy actions such as file sharing. We have resolved several CryptoLocker infections, and while we’ve been able to recover the client’s data each time, the infection has caused downtime, lost productivity and lost income for the client’s company.

CryptoLocker works by encrypting the files stored in folders that are available via the drive letters on the infected machine (C: or D: for desktop drives, U: or S: or others for server drives). The organizations that create these infections then attempt to charge the victim a ransom for the decryption key required to regain access to these files. While it’s possible to pay the ransom, we don’t recommend it. The creators of these viruses are not ethical business people—you don’t want them to have your credit card info, and there’s no guarantee that they will provide you with the key needed to unlock your data after you’ve paid.

Since this infection doesn’t limit itself to personal files stored locally on a desktop computer, but also targets files stored on a server via a mapped drive, it can be particularly malicious and can potentially encrypt an entire network file structure simply by infecting one user.

CryptoLocker and its variants are often spread through waves of millions of emails that are sent by internet criminals to company email addresses, pretending to be legitimate messages from major companies such as FedEx, UPS, etc. These emails contain a zip attachment that, when opened, infects the computer. Infections can also occur as a result of the download of an application that appears to be legitimate, or via methods that attempt to bypass authorized access to a computer.

Exercising tried and true email security practices, such as never opening attachments from unknown senders, can go a long way toward protecting you from these infections.

But what else can you do to protect yourself from Crypto and its variants? Three things: back up your data, update your antivirus software, and retire all your Windows XP computers.

1. Back up your data

CryptoLocker cannot currently be fully blocked via commercial antivirus products due to its ability to mimic legitimate application functions. The only way to block such software completely is to disable the file-sharing functions of Windows, which isn’t an appealing solution. The only way currently available to recover from a CryptoLocker infection is to restore the infected files from backup. Therefore, having consistent, updated backups available at all times is critical to avoiding data loss from a CryptoLocker infection.

If you are a SisAdmin Safeguard or Observational client, SisAdmin monitors your backups for you, but it’s still worth checking with your engineer to confirm the backup platform you’re currently using meets your needs. If you are only backing up once a day (or only maintaining one day’s worth of backups) and CryptoLocker is discovered more than 24 hours after infection, chances are high that you will lose critical business data–potentially all your business data.

It’s also a good idea to schedule some time with your engineer to perform a test restore of your environment—that way you know exactly what will happen in the event of an infection like CryptoLocker and have the peace of mind of knowing you’ll have minimal downtime.

2. Update your antivirus/antimalware software

While there is no foolproof way to prevent CryptoLocker infection, updated antivirus and antimalware software can help detect the source of infections and catch future ones—usually before the encryption spreads too far. SisAdmin recommends VIPRE Business and MalwareBytes as a solid antivirus/antimalware products, but there are many reputable alternatives if necessary for your specific network. Check with your engineer or the SisAdmin Service Desk to determine your level of protection and how it can be improved—we’re always happy to help.

3. Retire Windows XP

Ah, Windows XP—it’s like an old friend, and one we’re all sorry to see go. However, since Microsoft ended support and security updates for XP in April of 2014, it is no longer being updated as new vulnerabilities are discovered. This means that having Windows XP systems still in production and connected to your network is like putting out a sign saying “Please, hack me! Hack me now and encrypt all my data!”

Replacing your Windows XP computers is critical to network security today, including removing a potential vector for CryptoLocker to infect your files. If you have XP machines on your network, speak with your SisAdmin engineer or the Service Desk about the best way to replace them with Windows 7 or Windows 8 desktops.

That’s it for our first post! As always, if you have any questions about CryptoLocker or any other network issue, please give the SisAdmin Service Desk a call at (425) 482-1919.