There is currently much talk about Cryptolocker and other kinds of ransomware. Cryptolocker is such kind of malicious program that, once it is active, starts encrypting files it can access on a local system or on network shares and then threatens to hold your data hostage until you pay.
Users get this executable via spam or phishing emails. It starts working as soon as the user double-clicks the file. Hence traditional antivirus products are rarely efficient against Cryptolocker. The trouble is, unlike most malware, Cryptolocker can work in user security context and don’t require local admin level access to cause the data loss.
It’s hard to detect Cryptolocker immediately: while your computer keep on working personal files and documents are encrypted. Encryption process requires time and resources, and not entire volume is encrypted at once. We’ve seen the process speed estimates at around 1000 files per minute, but in theory, in case of a large storage it is possible to notice unusual behavior and stop the process early enough to minimize the damage.
Prevention steps
Most of the recommendations include a general combination of steps of Cryptolocker protection to prevent the data loss:
- Ensure using spam filtering (web and desktop) solutions to prevent ransomware spreading.
- Use solutions that enable heuristics and behavior analysis, not just signature-based ones.
- Enable “software restriction policies”. These can disallow running ANY executables except those specifically whitelisted by admins.
- Backup data daily/continuously to avoid damage.
- Train users to make them aware of the risk and reduce the chance someone would run the malicious executable
How to detect cryptolocker
First thing that you should do is to run Group Policy change and configuration audit to make sure software restriction policies are in place. In summary report on successful file and folder reads you will see what files have been modified.
A tool that might be helpful to fight Cryptolocker, must be capable of the following:
- Watch file shares for changes and notice massive file modifications done by the same process in real time (e.g., within a minute or faster)
- Automatically kill that process – and possibly disable the user account to prevent further infection
- Notify administrators with the full list of files that need to be restored from backup