Unless you’d been living under the proverbial rock, you probably have heard of the CryptoLocker variants of malware showing up in your email box in the last couple of years. These typically arrive in your inbox as a ZIP, DOC or RAR attachment on a seductively worded email from UPS, various airlines or even your bank.
The email will promise valuable information in that attachment like a shipping confirmation from Amazon, your tickets from Delta or your Chase Bank statement. All things which most users may expect to receive.
"Amazon shipping? Sure we get those every day. Chase statement? Yep, there’s no way Chase would send me something bad, right?" Wrong!
After you unsuspectingly execute these devilish pieces of code, your computer slows way down as the payload frantically scans the recipient’s hard drive and network drives for the following files:
*.3fr, *.accdb, *.ai, *.arw, *.bay, *.cdr, *.cer, *.cr2, *.crt, *.crw, *.dbf, *.dcr, *.der, *.dng, *.doc, *.docm, *.docx, *.dwg, *.dxf, *.dxg, *.eps, *.erf, img_*.jpg, *.indd, *.jpe, *.jpg, *.kdc, *.mdb, *.mdf, *.mef, *.mrw, *.nef, *.nrw, *.odb, *.odc, *.odm, *.odp, *.ods, *.odt, *.orf, *.p12, *.p7b, *.p7c, *.pdd, *.pdf, *.pef, *.pem, *.pfx, *.ppt, *.pptm, *.pptx, *.psd, *.pst, *.ptx, *.r3d, *.raf, *.raw, *.rtf, *.rw2, *.rwl, *.sr2, *.srf, *.srw, *.wb2, *.wpd, *.wps, *.x3f, *.xlk, *.xls, *.xlsb, *.xlsm, *.xlsx
Once found, these files are encrypted forever unless you choose to either unlock them with a $300 to $1,000 payment to the CryptoLocker via a Darknet Tor website, or you can restore from last night’s backup.
For companies, this can be devastating. If a user has access to a file on the corporate network and it matches the above file types, it’s encrypted. This could cost the average company thousands of dollars in lost time and files unless the corporation pays up. Is it any wonder that these CryptoLocker writers continue to produce these gems?
What can you do to protect yourself?
It’s actually quite simple. Stop the CryptoLocker attachments prior to arrival in the company. This can be done through various web and email filters that sit outside of the network and monitor packets prior to arrival. There are even free open source software packages that do this extremely well: namely the Untangle firewall.
If you use Microsoft Exchange as your email server, you can block the various attachments in the Exchange server’s transport service. It’s fairly easy to do.
If you’re already infected, you can pay or you can restore. But if you haven’t been infected yet, you should do this one simple thing to ensure you can quickly recover from an infection:
Set up Shadow Copy on servers and workstations.
Windows Shadow Copy provides a timed backup on the network of shared folders to allow easy access to previous versions of the files. By default, Shadow Copy sets up two network backups automatically: 7am and 12pm. These are usually sufficient to protect files and reduce the lost work in the event of a CryptoLocker attack.
If you happen to be a Mac user you can breath a bit easier as this virus (like most) does not affect Macs.
As always, Algorithm has your back. The network services division can help either before or after a CryptoLocker event – though frankly, we’d prefer it was before.