Fight Back Against CryptoLocker
October 11, 2017
What is it?
CryptoLocker is a nasty form of malware, also known as ransomware. It usually penetrates networks through convincing-enough phishing emails opened by unsuspecting users. As a sales engineer, I spend a lot of time talking with clients about their IT woes. No joke… I have seen CryptoLocker in 8 out of 10 environments I’ve visited. Some folks have paid the ransom, some have dealt with days of downtime, and others have lost large amounts of irreplaceable data. Something’s gotta give. And yes, ransomware is still alive: Hackers are Holding an LA Hospital’s Computers Hostage.
Since CryptoLocker typically enters a computer network through email, there are a number of ways to stop the malware from a technical perspective. There is also a human component to stopping this nasty malware. Here are my recommendations for fighting back against CryptoLocker.
How to stop it
Determine the “spamminess” of incoming email and ditch or quarantine the bad / questionable stuff. This can be done through on-premises or cloud-based email filtering appliances / services. However, out-of-the-box settings must be tweaked. Inbound email should be checked against SPF and DKIM DNS records. Sender Policy Framework (SPF) validates incoming email as “not-spoofed” by verifying that the IP address that sent the email is actually allowed to send email for the purported email domain. DomainKeys Identified Mail (DKIM) is a system used to ensure both the authenticity and integrity of an email using a DNS TXT record that stores a public key. For a great comparison of SPF vs. DKIM, see this post. When an email fails SPF or DKIM validation, it should either be rejected by your email filter or “docked points” that, when combined with other “bad email behavior,” could land it in a user’s email quarantine instead of their Inbox. My favorite email filtering service is MailProtector CloudFilter.
Have a plan for rapid containment. This can only be done when your endpoint anti-malware software talks to your firewall. Since CryptoLocker payloads (usually infected PDFs, ZIPs, or EXEs) try to contact Command and Control (CnC) servers right away, if this kind of outbound traffic is recognized, the infected device should be cut off from the rest of the LAN immediately. Sophos has a revolutionary solution to tackle the containment issue called the “Security Heartbeat“. Their Endpoint Protection client software can send user and process information to the firewall. If outbound CnC communication is detected on the endpoint, it will tell the firewall about the traffic, who’s logged in, and what process is doing the dirty communication. The firewall can be configured to immediately cut the infected PC off from the rest of the LAN. Without this kind of solution, it could take an IT team hours to determine that CnC traffic is occurring and to find the switch port and PC from which the traffic is emanating, then shut it down. By that time, who knows how much data has been encrypted.
Have a good backup strategy. The backup industry’s rule of thumb is 3-2-1. Three copies of data, two different media, one offsite copy. If you have anything less than this, you are at risk of CryptoLocker permanently destroying valuable data. If you haven’t tested your backups recently, you’re in trouble. Bottom line: Have regular, tested, granular, backups in place. If CryptoLocker makes it past your email and firewall, this will be your last option to save your network. For virtual environments, check out Veeam. For insanely short recovery times, check out Datto.
Implement security awareness training. Even with the best technical controls in place, malware authors keep finding trickier ways of obfuscating their code (Google: XOR encoder, metamorphic malware, and polymorphic malware). When a naughty email makes it past your firewall, it is important that the end user opening the email is trained to spot a phishing email. Online security awareness training through vendors such as Security Innovation can have a huge impact on reducing CryptoLocker. When users are able to spot shady links (gibberish URLs, .ru / .cn domains from a purported American company, etc.) in emails, they are more likely to delete rather than click phony links in email. Blocking or at least quarantining .ZIP and .EXE files on your email filter can help. But, infected and obfuscated PDFs sometimes get through, so let’s not forget the human element to cybersecurity.