Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us

    Oct29
    11:50 pm (UTC-7)   |    by

    Over the past few weeks, we’ve been seeing an increase in the number of spreading CryptoLocker malware. This new kind of ransomware has been hitting more users over the past few weeks. Compared to the month of September, the number of identified cases in October has almost tripled.

    CryptoLocker infections were found across different regions, including North America, Europe Middle East and the Asia Pacific. Almost two-thirds of the affected victims – 64% – were from the US. Other affected countries include the UK and Canada, with 11% and 6% of global victims, respectively.

    Previously, we discussed how these threats were arriving via email. CryptoLocker can be viewed as a refinement of a previously known type of threat called ransomware. Such “improvements” are in line with our 2013 Security Predictions, where we mentioned that the focus of cybercriminals would be the refinement of existing tools, rather than the creation of entirely new threats.

    What can I do?

    There are different ways an individual or an organization can handle the CryptoLocker threat. Since this threat starts as spam carrying TROJ_UPATRE (a downloader), its success depends on the social engineering lures used in the message and how users would respond to it.

    Let us start off first with simple (but frequently ignored) safe computing practices to consider when opening emails and file attachments, in general:

    • Always check who the email sender is. If the email is supposedly coming from a bank, verify with your bank if the received message is legitimate. If from a personal contact, confirm if they sent the message. Do not rely solely on trust by virtue of relationship, as your friend or family member may be a victim of spammers as well.
    • Double-check the content of the message. There are obvious factual errors or discrepancies that you can spot: a claim from a bank or a friend that they have received something from you? Try to go to your recently sent items to double-check their claim. Such spammed messages can also use other social engineering lures to persuade users to open the message.
    • Refrain from clicking links in email. In general, clicking on links in email should be avoided. It is safer to visit any site mentioned in email directly. If you have to click on a link in email, make sure your browser uses web reputation to check the link, or use free services such as Trend Micro Site Safety Center.
    • Always ensure your software is up-to-date. Currently there are no known CryptoLocker that exploits vulnerabilities to spread, but it can’t be ruled out in the future. Regularly updating installed software provides another layer of security against many attacks, however.
    • Backup important data. Unfortunately, there is no known tool to decrypt the files encrypted by CryptoLocker. One good safe computing practice is to ensure you have accurate back-ups of your files. The 3-2-1 principle should be in play: three copies, two different media, one separate location. Windows has a feature called Volume Shadow Copy that allows you to restore files to their previous state, and is enabled by default. Cloud storage services (such as SafeSync) can be a useful part of your backup strategy.

    For enterprise customers, review your policies regarding email attachments. It is generally considered bad form to send an executable file using email. Most organizations also have strict attachment blocking policies – if you don’t have one right now, it would be a good time to consider creating one.

    Configuring devices for specific purposes is another method to reduce chances of Cryptolocker infection. For example, if the user is only required to use Microsoft Word, a system and user account with limited privileges would be adequate. Most enterprises may already have this approach, but this can be enhanced to use a list of whitelisted software applications and take advantage of certain Windows features like AppLocker.

    This can complement an organization’s overall security strategy. Users can implement an antimalware solution that not only protects users from executing malicious files, but provides protection even before the malware arrives in your system.

    Our email reputation service is able to block these spammed messages with malicious attachments. Specifically, the True File Type Filtering feature can alert users if an email attachment is potentially malicious:

    solution-trendmicro-email

    In addition, our web reputation service can also block access to the related URLs. A combination of antimalware solution plus a solid list of applications allowed to run reduces the surface area of attack on a desktop.

    Conclusion

    While not presenting anything new to the table, CryptoLocker has taken the scare tactics effectively used before by ransomware and fake antivirus attacks to a new level. Most users rely nowadays on good antimalware software, but it is important to note that user education, regular software update, and a strict computer usage policy are crucial defense against CryptoLocker and similar threats.

    As malware nowadays are being refined by cybercriminals, computer systems must be likewise hardened to resist these attacks. A holistic approach in addressing malware infections aims not only to address to reduce the rate of the infection itself, but can help in breaking the whole cycle of the malware infection chain by providing a defense in depth strategy that covers multiple facets of an attack.

    Trend Micro customers who use OfficeScan (OSCE) and Worry-Free Business Security/Services (WFBS/WFBS-SVC) can follow these best practices to prevent ransomware infection.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • Will Apted

      I am currently trying to develop a decryption system that will decrypt the files cryptolocker has encrypted. After infecting 100 virtual computers with cryptolocker you can get a good idea of how the encryption works. It has one main encryption key and then another that it gets from a server, the only way to decrypt the files is to know both keys. [This is a very basic description]

      Well, this is where key generators come in handy because you can use them to try loads of keys into a decryption system, once the correct key is found it can decrypt the files.

      I am using c++ to develop the decryption system, so far it seems I can get it to get the main encryption key but the other key [received from a server] seems to be tricky to get. The only way I can get the second key is to use a random key generator but that could mean it would take over a month to just get the keys, let alone decrypt it…

      I have explained this is a VERY basic way in a way that is *easy* to understand.

      There is one more problem, changing encryption systems….

      anyway, enough typing…

      • eddy

        Does Client/Server Security Agent detect and Block Cryptolocker?

    • guest

      Unfortunately Worry Free Business suit did not protect our computers…
      One machine was infected and we lost all our files.
      Even when we scanned infected attachment the WF agent kept silence

    • Jim

      The important question: Does OfficeScan detect and stop Cryptolocker before it starts encrypting files?

      • TrendLabs

        Hi Jim,

        Yes, it does.

        • antonio Leyva

          Not, It Does, I have a machin with this threat and i think will lose all my data

        • Antonio Leyva

          the machine became infected this past weekend, you will have some solution or way to prevent a new infection, I have left on the countdown 46 hours



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice