Malware is subdivided into spyware, trojans, viruses, rootkits, adware and other sub-categories based on how it acts. CryptoLocker is a Trojan – named after the Trojan Rabbit in Monty Python and the Holy Grail (ok, so it is actually named after the Trojan Horse from Greek mythology) – it is a malicious program that gains access to a computer system after appearing to be a legitimate product (or website) and then drops/delivers its malicious payload. In the case of CryptoLocker, the payload is an extremely well implemented encryption of many types of user data files.
CryptoLocker was released to the public in late 2013 and has so far managed to encrypt the data files of a great many people. Security technology company Bitdefender Labs has revealed that more than 12,000 victims have been claimed in less than a week. That's not insignificant. The cost of the decryption key (well, the private key of the public/private key pair used to encrypt your files) was originally set to US$100 or 300 Euro (or equivalent) and then changed to 2 Bitcoins or the equivalent in MoneyPak payment as many banks and payment processing facilities around the world started blocking payments for Cryptolocker. As the "value" of a Bitcoin has skyrocketed recently, it seems that the authors of CryptoLocker have taken this into consideration and now only charge 0.5 BTC for the decryption key.
Also, originally, once the 72 hour window for payment of the extortion fee had expired, your private key was said to be deleted – therefore rendering your data unrecoverable. The kind folks who wrote CryptoLocker realised that by doing this, considering most people have no idea what Bitcoins nor MoneyPak are, they were leaving a lot of money on the table and have now allowed people who cannot pay the approximately US$300 sum within 72 hours to make a late payment using their CryptoLocker Decryption Service to retrieve their key of around US$1500. Yes, that's 500% of the original cost.
So, assuming you have not yet been hit by this malicious ransomware, what are your best options for avoiding it? The list below offers some pointers for general security recommendations. Feel free to contact us for more information and possibly a site survey to determine your security weaknesses:
- Your regular user account should not have "Administrator" privileges.
- You should be running an appropriately licensed current operating system. If this is Windows, I'd not not consider XP to be current – and with the impending demise of extended support on Windows XP SP3 and Vista as of 8 April, 2014, anyone running it after this date is *ASKING* for trouble. I've never considered Vista to be a valid operating system choice.
- Ensure you have all operating system updates (critical and security, at least) installed.
- Ensure you have all 3rd party application updates installed – especially for any Adobe, Java and Apple software.
- You should only be running the latest web browser versions. Make sure these are kept up to date as this is crucial.
- You must be running a current, updated, effective anti-virus/anti-malware product.
- Ensure your passphrase is secure. Don't use your name, your partner's name, your kids names, your pets names or your address in any variation at all. Also, have a look at this link, this link and this link and ensure your passphrase is not in the lists.
- Yes, that's right – I said passphrase. So those of you paying attention would realise that "passphrase" is not "password" and that (almost) any passphrase will not be in those lists. Simple passphrases derived from simple words such as "Who let the dogs out" or "The cat sat on the mat" are not going to be all that different from simple passwords when it comes to brute force attacks. However, passphrases such as "Friday 2.00pm janitorial;" or "marryGold truthbe foretolD" are pretty easy to remember and type (important) yet are extremely unlikely to be found easily using a brute force attack.
- Don't tell anyone else (except, maybe, your manager) your password.
- Don't browse to dodgy websites.
- Don't open attachments from someone you don't know.
- Don't open attachments if you didn't expect to receive them from someone you do know.
- Don't be triskaidekaphobic.
- Don't pay attention to people sending you emails claiming there's a something out there that will do something bad to you unless you do something else. Especially if this involves money. Get familiar with Snopes.
- Backups. Make sure you have valid backups in a location that is not continually online and addressable via a regular drive letter or through the regular Windows Explorer interface.
- Make sure you have more than one backup and in more than one location. This is where online backups (cloud backups) can be handy - in addition to proper backups on things such as USB keys and USB hard disks.
- Encryption - the type you have the password/key for. If your data is sensitive, it *MUST* be encrypted when it is backed up.
- Have a look at Hitman Pro Alert with CryptoGuard.
- Have a look at CryptoPrevent *especially* if you are running a Home version of Windows.
- Have a look at the CryptoLocker Prevention Kit *especially* if you are on a Domain or running a Pro version of Windows.
- Think. The best protection against malicious things on and off the Internet is that spongy thing holding your ears apart. Really. Just think.
The Outspoken Wookie