CryptoLocker is a type of malware that encrypts all files, archives, documents, or computer equipment until they are unlocked by the "cybercriminal".
CryptoLocker is at the moment a well-known piece of malware that can be especially damaging to any data-driven organization. The moment the code has run, it encrypts files on desktops and network shares and "hijacks them for ransom." If any user tries to open the file, they will be asked to pay a fee, a ransom, to decrypt them. For this reason, CryptoLocker and its variations have come to be known as “ransomware.
Malware such as CryptoLocker can enter a protected network by means of many vectors, including e-mail, file-sharing, and download sites, websites, etc.
A CryptoLocker can severely affect a company, its image, its website, leaving it useless, and even affecting search engine visibility.
Aside from limiting the scope of what an infected host can corrupt by retaining access controls, detection and protection controls are advised as the first line of defense.
What Does CryptoLocker Do?
At a run, CryptoLocker begins to examine the mapped network drives that the host is connected to folders and documents, renames, and encrypts the ones it has permission to alter, determined by the credentials of the user running the code.
CryptoLocker, in many cases, uses a 2048-bit RSA key to encrypt the files and changes the name of the files by adding an extension such as “.encrypted”, “.CryptoLocker” or a combination of 7 random characters, depending on the variation.
Finally, the malware creates a file in each damaged directory that links to a page with decryption instructions, which requires a duck from the victim (on numerous occasions through bitcoin).
The names of the instruction file are usually DECRYPT_INSTRUCTION.txt or DECRYPT_INSTRUCTIONS.html.
How to Prevent CryptoLocker?
The more files a user account has access to, the more damage malware can do, therefore limiting access is a prudent action, as it will limit the scope of what can be encrypted. Since reaching a least-privilege model is not a quick fix, it is possible to reduce exposure quickly by removing superfluous global access sets from access control lists.
Sets such as "Everyone," "Authenticated Users," and "Domain Users," when used in data containers (such as SharePoint sites and folders) can expose entire hierarchies to each and every user in a company.
Apart from being targets of attack, this exposed data set is very prone to be damaged in the malware attack.
On file servers, these folders are known as "open shares", both the file system and the share permissions are reachable through a global access set.
How to Detect a CryptoLocker?
If file access activity is being inspected on impaired file servers, these behaviors produce a high number of open, modify, and create events at a very rapid rate and are quite simple to perceive with automation, giving a valuable inspection control. To serve as an example, if a single user account alters 100 files in a minute, something automated is sure to happen.
Setting up a monitoring solution to cause an alarm when this behavior is observed can be a valuable tip: IDS, IPS, or Next-Generation Firewall.
Depending on the severity of the CryptoLocker, the encryption can be reversible with a real-time disassembler, few cases, or irreversible.
Security Tips Like Prevention of CryptoLocker or Ransomware
- Update antivirus software and protection software. These solutions can help detect some types of ransomware and prevent it from encrypting files.
- Be very vigilant about phishing scams, phishing emails, which are the most common delivery mechanism for ransomware.
- Keep backup copies of all important documents (it is faster and easier to recover documents from a backup than to decrypt them if they have been compromised in a ransomware attack).
- Commit to a zero-trust / least privilege model. The least privilege model limits access only to what is completely accurate.
- Monitor file activity and user behavior to warn, alert and respond to potential ransomware activity.
- And most importantly, implement cybersecurity tools that allow you to be somewhat more secure.
No comments:
Post a Comment