Cybercrime has gone pro, but many industry folks have not realized their companies could be seriously damaged by this. By now, you may have heard of ransomware. This is malicious software that takes your data hostage, encrypting it so you can’t use it, then forcing you to pay a fee to get it back.
Since late 2013, a new wave of cybercrime, called CryptoLocker, has taken off. The cybercriminals trick users into opening an attachment, which encrypts all their PC and network files. The only way to get the files back is pay a ransom typically around $300. The ransom fees require payment in Internet currency like Bitcoin, as these transactions are untraceable.
In the last quarter of 2013, more than 250,000 computers were infected with Cryptolocker, realizing $30 million in revenue. And
it’s getting worse. In February 2014, the University of Kent reported 41 percent of those infected pay the ransom.
The Fast Way to Get Your Files Back Is to Pay the Ransom
A law firm in North Carolina was infected when an employee fell for the CryptoLocker social engineering attack disguised as an email from AT&T with a malicious attachment that was mistaken for a voicemail message from their phone answering service. Their IT tried to disinfect the machine, but that made things even worse by preventing decryption. They then tried to pay the ransom, but it was too late because they had tampered with the malware.
“I’ve Lost Eight Years’ Worth of Work”
CryptoLocker attacks are very successful and the culprits do not discriminate when selecting their targets. (Even the town hall of Greenland, New Hampshire,was recently subjected to an attack. Town Administrator Karen Anderson said, “The results have left us with documents that are no longer readable; I’ve lost eight years’ worth of my work.”) A local police department in Swansea, Massachusetts, was forced to pay two bitcoins (current value totaling more than $1,000) to buy back sensitive files that were encrypted.
Your Antivirus Is Not Going to Help
Malware researchers from almost all antivirus companies are furiously working on a way to prevent this from occurring, and some are able to block it from running, but these bad guys are very sophisticated. They change their malicious code all the time, and your antivirus might catch it today but not tomorrow. Antivirus companies are not able to decrypt the files; only the CryptoLocker malware can successfully complete the decryption.
How does this malware get installed on a workstation? Users are tricked into opening an infected email attachment. The bad guys are pulling out all the stops, using a variety of social engineering tactics to convince unsuspecting victims. Most recently, they’ve used tracking information from DHL, UPS, FedEx and USPS to encourage users to click, but there are many phishing attacks that include information designed to look as if it originated from a bank or government agency.
What Happens When a User Opens the Infected Attachment?
-They are presented with a CryptoLocker splash screen.
-It will encrypt files on the network where the user has modify permissions.
-They are asked to pay ransom of $300 or more via GreenDot, MoneyPaks, Bitcoin, CashU, paysafecard or Ukash.
-CryptoLocker will set a timer to decrypt the files if the user decides to pay the ransom.
-If the timer expires, the software uninstalls itself and the data is lost.
How to Prevent This From Happening
Two things: First, make sure you always have a recent backup. Wipe and rebuild the machine, and restore the files. This typically requires an average of three hours of administrative work.
Second, put all employees through mandatory security awareness training. This educates them about the devastating effects of opening an infected attachment. Train employees so they know enough to stay away from suspicious attachments.
