Ransomware (CryptoLocker)

CryptoLocker

Examples of extortionate ransomware became prominent in May 2005. By mid-2006, Trojans such as Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive began utilizing more sophisticated encryption schemes, with ever-increasing key-sizes. Gpcode.AG, which was detected in June 2006, was encrypted with a 660-bit RSA public key. In June 2008, a variant known as Gpcode.AK was detected. Using a 1024-bit RSA key, it was believed large enough to be computationally infeasible to break without a concerted distributed effort.

Encrypting ransomware returned to prominence in late 2013 with the propagation of CryptoLocker—using the Bitcoin digital currency platform to collect ransom money. In December 2013, ZDNet estimated based on Bitcoin transaction information that between 15 October and 18 December, the operators of CryptoLocker had procured about US$27 million from infected users. The CryptoLocker technique was widely copied in the months following, including CryptoLocker 2.0 (though not to be related to CryptoLocker), CryptoDefense (which initially contained a major design flaw that stored the private key on the infected system in a user-retrievable location, due to its use of Windows’ built-in encryption APIs), and the August 2014 discovery of a Trojan specifically targeting network-attached storage devices produced by Synology. In January 2015, it was reported that ransomware-styled attacks have occurred against individual websites via hacking, and through ransomware designed to target Linux-based web servers.

Is there a way to get protected?

Once a user’s files are encrypted this way, it is next to impossible to decrypt them without access to the private key that is stored on the remote servers in use by the malware authors. There are currently no tools that are capable of decrypting these files without the private key.

However, as long as Webroot SecureAnywhere is installed prior to infection, all encrypting ransomware should be detected and removed before it is allowed to make any changes on the computer. Threat Research has many rules in place ready to detect the known variants of Cryptolocker at or before execution, but it is important to remember that malware is constantly changing and it may not initially detect all new variants.

To counteract this, Webroot SecureAnywhere uses behaviour recognition technologies that allow programs to execute in a safe ‘sandbox’ and watch for behaviours that are typical of malware. For example: editing registry keys, accessing email distribution lists or trying to disable anti-malware packages. Those patterns are captured and compared against a large database of threat behaviours which is updated continuously.

An extra element of Webroot SecureAnywhere is long-term behaviour analysis combined with journaling and rollback. With this approach, programs are allowed to execute, but modifications to files, registry keys, memory locations and other entities are journaled. This allows the software to create a ‘before’ and ‘after’ picture of each change. If behaviour analysis identifies the program as malicious, the program can be deleted and all of the changes it made can be rolled back, returning the end-point to a known good state.

This approach:

  • Mitigates the effect of malware that cannot be detected by signature-matching or short-term behaviour recognition.
  • Eliminates huge amounts of work cleaning up and re-imaging infected systems, which surveys show can consume as much as one-third of the support staff’s time.
  • Makes it possible to recognize the same threat on other systems, and at other enterprises.

How do I get this protection?

Lucidity IT have partnered with Webroot to be able to provide these new multi-faceted protection packages to our customers. Contact us today to identify the protection package to suit your business needs, or alternatively, click the links below and sign up for a free trial.

Click here if you cannot see the Webroot window above

About Lance Knight