Ransomware is a type of malware that restricts access to the infected computer system and demands that the user pay a ransom to the malware operators to remove the restriction. Some forms of ransomware systematically encrypt files on the system’s hard drive, then spread to any shared network drives and other computers, and make it difficult or impossible to decrypt without paying the ransom for the encryption key. Other forms of ransomware may simply lock the system and display messages intended to coax the user into paying to acquire the key. Ransomware typically propagates as a trojan, whose payload is disguised as a seemingly legitimate file.
Cryptolocker is a ransomware trojan which targets computers primarily running Microsoft Windows, though reports have recently surfaced of Cryptolocker and other ransomware on Mac OS. Cryptolocker propagates via infected email attachments, and via an existing botnet. When activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers. The malware then displays a message which offers to decrypt the data if a payment (through either bitcoin or a pre-paid cash voucher) is made by a stated deadline and threatens to delete the private key if the deadline passes.
How does it get in?
Typically, the virus propagates as a trojan, entering a system through, for example, a downloaded file or a vulnerability in a network service. Recently, there also have been entry points through infected advertisements on legitimate websites, that outsource their advertising content. The program then runs a payload, which typically takes the form of a scareware program. Payloads may display a fake warning purportedly by an entity such as a law enforcement agency, falsely claiming that the system has been used for illegal activities, contains content such as pornography and “pirated” media, or runs a non-genuine version of Microsoft Windows. The malware may also encrypt attached storage devices such as USB drives or external hard disks. Other entry points include poorly configured or patched servers.
Prevention, Protection, and Best Practices
- Install malware detection software and ensure antivirus software is in place and that both are kept up-to-date. Using software or other security policies to block known payloads from launching will help to prevent infection but will not protect against all attacks.
- Use credentials with the least amount of necessary access to systems to help prevent the spread of the virus by reducing the number of network touchpoints (i.e., file shares, printers, servers, etc.). It is always a best practice for users to use non-administrative credentials, and only elevate credentials when necessary for installation, maintenance, etc.
- Keep data backups stored in locations inaccessible to the infected computer. This will allow data to be restored to its state at backup time.
Do not underestimate the complexity of IT security. Security vulnerabilities may be present in operating systems, applications, configurations, or risky end-user practices. Consider hiring a compliance partner to perform penetration testing and vulnerability scanning as part of a comprehensive security regimen. A compliance partner can quickly execute the necessary tests to determine the likelihood of real-world threats against an organization’s IT assets and physical security.
To learn how BlueOrange Compliance helps healthcare organizations protect against cyber threats, request a free consult.
