Behind the Brain Power – The Dangers of Cryptolocker

Behind the Brain Power Blog Series

Date: July 10, 2015 | Topic: Cryptolocker

In the first issue of Behind the Brain Power, we discuss Cryptolocker. Cryptolocker is a type of malware that targets computers running Microsoft Windows. It is believed to have first been posted to the internet in September of 2013.When activated, the malware encrypts certain types of files using RSA public-key cryptography, with the private key stored only on the malware’s control servers. The malware then displays a message – data will be decrypted if a specific amount of money is paid. Basically, once Cryptolocker is on your machine, all of your data becomes inaccessible unless you pay a ransom. Although the malware is easily removed, files remain encrypted.

Now we will hear from the experts. Each member of our blog series holds a different role at BECA, which gives them unique and valuable insights into Cryptolocker. Read what each of these technology experts has to say about the dangers of Cryptolocker and how to protect yourself and your company.



Mike: The first thing everyone needs to realize is that Cryptolocker is real, and it is affecting companies all over the United States. No one wants to talk about it because they don’t want to admit that they’ve got it. Like many other things in life, we just try to hide it and try not to let others know how bad it is. BECA works very hard to protect itself from this nasty malware because we are the ones having to resolve the problem. The average repair is typically anywhere from 12 to 40 hours depending on the data that is encrypted. We are helping clients on a very regular basis battle this problem. it is real and it is expensive!!

The cost of downtime and loss of production will be in the thousands at a minimum and, depending on the overall size of the encrypted data, may create long term cash flow issues for companies.  The most important thing to do is to educate your teams. The best protection doesn’t always work … so don’t just assume that your employees are aware of the dangers of Cryptolocker. Educate them!

Some quick rules for your success in limiting your exposure to Cryptolocker:

  • Educate & remind your team members on a regular basis – don’t click on links within emails without asking a couple questions.  Evaluate if someone should be sending this to you. Emails will probably come from someone you know, and they will be worded quite well. If it is an email that you weren’t expecting – be careful!
  • Time to upgrade your firewalls to protection that blocks the encryption side of the malware. You can get the “bad” stuff and still be safe if the payload is stopped.  I definitely recommend the United Threat Management Suite & APT Blocker from WatchGuard.
  • Don’t let random people connect to your wireless network! When a vendor or client comes to visit and they connect to your network anything that is on their machine now has access to your network – Sort of like when your kid goes to school and comes home with the flu!
  • Finally – if you get this terrible malware, communicate it!  Don’t try to hide it or think that you can resolve it yourself.  Call your IT partner ASAP and get them engaged. The cost and damage if it reaches large cloud shares or large files will be astronomical.

Branden: CryptoLocker and its variants are a modern day (electronic) version of extortion!  It is a scourge on IT departments worldwide and can devastate home user’s files.  If you don’t have a very good backup system, and you want your family photos back, paying the ransom could be your only option.  There have even been reports of police departments being forced to pay the ransom to get their data back!

Even with a solid, layered defense (firewall, AV software, SPAM filter and no local admin rights) we’ve seen it burrow into networks.  In a LAN/WAN environment it not only infects the target PC, but also infects network shares and any directly attached storage.  Speedy detection and robust backup systems have saved the day.  One of the most important pieces in the defense is actually the end user.  Education on what to be skeptical of, diligence in checking attachments/senders and rapid notification in the event of an infection are all critical pieces of the defense.

We have had several customers affected, and were able to recover each one with minimal data loss.  Their backup systems (and speedy reporting) have been the key to recovery in each of our cases.  CryptoLocker is very difficult to stop.  One recent addition to the fight is the next generation firewalls that WatchGuard recently released.  They are more powerful from a hardware standpoint and have a very powerful APT (Advanced Persistent Threat) Blocker now available.

Staying ahead of the criminals that produce this malware is a constant battle.  It is a drain on IT resources and dollars.  Companies can no longer ignore this threat.  The old thinking “I’m just a small company and have nothing that a criminal would want” no longer applies.  If you do business on the internet, one computer or a 500-person network, you must spend the time and money to protect yourself from these modern threats!


Robert: Let me preface my story by explaining a term that we use here at BECA – BECAtized. A BECAtized infrastructure is a customized infrastructure that uses the best IT practices to keep a business functioning even in the most critical times. When you are BECAtized, it brings extra security and stability to your infrastructure and protects your business from unexpected downtime and performance issues.

Now that you understand what a BECAtized system is, let me tell you a story about what recently happened to one of our clients. Last week, we had a customer that was infected by Cryptolocker. An end-user clicked on a dangerous link and – WHAM! – Cryptolocker. Because this client had a BECAtized infrastructure, our engineers were able to use our preferred backup appliance and recreate the infrastructure from a non-infected point in time. This was a HUGE time saver and considered a huge success because they were back up and running normally in just a couple of hours. So – a very critical and company-paralyzing situation was eased by a BECAtized infrastructure.

What would have happened if the company was not BECAtized? A non-BECAtized infrastructure could have brought the company down for days as we tried to recover the data that was encrypted. It is possible that it could have even brought the company to a breaking point.

These types of threats are becoming more common. Just last week, I met with a company and they admitted that they had been infected by Cryptolocker and had to pay the ransom money to gain access to their data. Once they paid these criminals, the key to unlock it also possessed a virus that they had to fight!

The moral? Protect your infrastructure. Become BECAtized!


Sean: Like many of you, I’ve been doing this for a long time and have seen a lot of malware, and this one really scares me. A lot of companies have already lost lots of data that could not be recovered and suffered hours of downtime due to this malware. It’s only going to continue. We have to reevaluate how we are doing things to help with prevention and be prepared for the inevitable recovery of data.

So how do we prevent Cryptolocker and it variants? Some of the usual tactics still apply: reminding end-users not to click on unknown email attachments, making sure all your endpoints have up-to-date Anti-Virus, keeping endpoints patched, etc. These things will help, but only a little. There are other things we need to rethink. Such as – how we do perimeter security. Are we using a firewall that has the capability to decrypt https traffic so it can be inspected? More and more of the traffic on the web is encrypted and coming via HTTPS. Only inspecting HTTP traffic for malware and other known bad sites is not good enough anymore. We need a firewall with the horsepower and ability to sit in the middle between the user and the website, decrypt the traffic, inspect it, then re-encrypt it and send it on its way. The encryption and decryption of network traffic is CPU intensive and most of the current install base of firewalls doesn’t have the CPU horsepower to do this on a large scale. More powerful firewalls, such as the new Watchguard M-line, are needed. Now, once our firewall decrypts the traffic, does it have the technology to not only scan for known viruses but also use advanced malware detection? Watchguard’s new APT Blocker executes the file in a sandboxed environment to observe how the file behaves (does it modify registry keys, replace files, etc). This can allow the firewall to stop new variants of Cryptolocker and other zero day threats based on behavioral analysis.

Okay, now we have the perimeter secure – Great! But this is 2015, and we have a highly mobile workforce.  What happens when users aren’t in the office behind good perimeter security? They are vulnerable. Take a look at cloud technologies like OpenDNS (recently acquired by Cisco). Their OpenDNS Umbrella product provides added security for your on-premise firewall by making a small network configuration change and your mobile users (laptop, smartphone, tablet) by deploying a lightweight agent which forces all DNS queries to go through OpenDNS servers, where they do all the filtering. So you are not installing additional software that will churn up CPU % and Disk I/O on your users’ devices.

Another way to protect from Cryptolocker? There is a simple way to mitigate the damage caused by Cryptolocker that we should already be doing – only give users access to the data they need.  Cryptolocker can’t encrypt data files that the user doesn’t have access to. So make sure you aren’t throwing all of your data on a single file share with open permissions.  Typically, your most critical data is only accessed by a subset of your users.  I have seen good IT practices such as this save a lot of downtime and recovery time during Cryptolocker infections.

So what happens if you did get infected? What about recovery from a Cryptolocker infection?

Despite all the best AV, perimeter security, cloud security, and end-user training, you are probably going to get a Cryptolocker infection at some point. It is almost inevitable. And you are going to have to recover your data. Even more, I have seen users get infected with Cryptolocker and yet don’t report the ransom pop-up message for weeks, until it affects their ability to do their job. In these situations, you may need to restore data that is days or even weeks old. For our on-premise data, obviously we need to be backing up data and making sure the backups are good. Do you have enough back-up capacity? I have seen environments with just enough backup capacity for a week’s worth of backups, but what happens in the scenario I described above? Could you be in a situation where all of your backups are infected with Cryptolocker???Are you taking advantage of other technologies that could help you out such as Volume Shadow Copy on File Shares? What about cloud storage, OneDrive, Dropbox, Sharepoint Online, Google Drive, etc.? If users are synching data to the cloud, they are going to sync Cryptolocker infected files as well. You don’t want to be finding out the capabilities (or lack thereof) of your Cloud Storage during an infection. Do you have versioning of files? Is it turned on? How long is it kept for?  Do you need Cloud backup for your Cloud storage? If a user sets up their own Cloud Storage and syncs up Cryptolocker infected files to it, is IT responsible for trying to get it back?

Cryptolocker and its variants have created a profitable business for the bad guys, which means it isn’t going away any time soon.  As IT Professionals, we need to make sure we are vigilant with the right tools and policies to keep our data safe.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s