You Want to Use Your Own Information, Pay Up!
Posted on by David Levine Guest Blogger (view posts by author)
As Vice President, Technology Information Security, I take protecting information personally. Perhaps that is why I find the re-emergence of a breed of ransomware particularly nasty.
Though ransomware has been around for some time, this new strain of malware – CryptoLocker – adds some twists. CryptoLocker targets specific document file extensions like presentations and spreadsheets (.ppt, .xls, .doc). It looks for documents on your system, shared network drives, external hard drives, and network file shares. The malware then encrypts your files and any shares you are connected to with a private asymmetric encryption key and connects to the attackers’ command-and-control (C2) server to deposit the encryption key out of your reach.
At this point you are locked out of your files. A flashing red warning, complete with a countdown clock, gives you a deadline to pay for the encryption key to regain access to your documents.
Malware continues to be more sophisticated and another “innovation” of CryptoLocker is that the ransom is payable in MoneyPak or Bitcoin. This makes it easier to pay, and helps ensure that ransom payments can’t be traced. The attackers even provide a drop-down menu to make it more ‘convenient’ for you! (The ransom amount can vary anywhere from $100 to $2,000 today.)
This malware targets a critical piece of what today’s worker needs to do their jobs: timely information they’ve kept near at hand. In a very real sense it targets the working notes of today’s knowledge worker. And by making it easy to pay (untraceably), they clearly hope more victims will simply pay the ransom and note in almost all cases they do in fact send you the key to decrypt your data. If you opt to not pay your only recourse is to re-image your machine and restore data from backup.
Unfortunately there is no fool-proof protection for these types of attack. Infection typically occurs through phishing emails designed to look like legitimate business communications (such as phony FedEx and UPS tracking notices) which contain malicious attachments. When the user opens the attachment they can become infected.
As I pointed out in an earlier blog on zombie attacks, basic “block & tackling” security measures, which you should be taking anyway, will help reduce the risk:
If there is any silver lining here it might be that the threat of being held ransom for your own information can be used as a teachable moment.
This is an opportunity to make everyone aware of more secure behavior while working online. Educating users to use caution before opening email attachments and not follow unsolicited web links received in email will go a long way to strengthen your enterprise security posture well beyond this latest attempt at extortion.