Cryptolocker - The battle for data security

Ransomware has exploded onto the radar of security teams in recent years due to highly aggressive tactics which are often impossible to recover from. Ransomware is on the increase and has evolved rapidly from the high profile Cryptolocker outbreak.

The risks of wide spread data loss are ever increasing as ransomware begins to target backups and data on network shares.

The premise is simple, capture data that is valuable to the user by encrypting it in situ and then charge the user a fee to release it back to them. Since it first appeared in 2013, Cryptolocker itself has amassed around 500,000 victims.

Those infected were initially presented with a demand for $400 (£237), 400 euros ($535; £317) or an equivalent amount in the virtual Bitcoin currency. Victims had 72 hours to pay up or face their files being destroyed.

Analysis of the back-up database indicates that only 1.3% of all the people hit by the malware paid the ransom and yet despite the low response rate, the cybercriminals are believed to have netted about $3m from Cryptolocker.

The power of this type of ransomware is in its simplicity. With access to all of the users' files and Windows cryptographic tools, data can easily be encrypted even without the user having administrator rights. This results is the perfect malware storm; a devastating attack generating large revenues that requires little technical skill to create.

An evolving threat

The effectiveness of ransomware like Cryptolocker has spawned a succession of new threats. The advent of CryptoWall and TorrentLocker are all hitting businesses and consumers hard and spreading the fear of infection beyond just an IT department.

In fact, Cryptowall V3.0 also known as Crowti has been encountered several times in the Avecto Malware Lab since mid-January 2015 and represents the latest evolution in ransomware. The sample analyzed was dropped by the Magnitude exploit kit as part of a phishing email campaign that linked to malicious websites.

Compared to previous versions, the latest version is simpler and more lightweight. In line with general malware trends towards multi-stage attacks, it no longer checks to see if it is being executed in a virtual environment.

Layers of defense

Ransomware exploits the fact that Windows allows applications, both good and bad, to access the user's data. As threats change rapidly to evade detection, often utilizing social media to spread, it is impossible to prevent them appearing on the endpoint.

The best way to mitigate these threats is to implement a defense in depth approach, layering technologies that can block and isolate threats on the endpoint. Privilege Management can contain threats within the user account and Application Control prevents untrusted content such as malware payloads from executing.

An important last line of defense is Sandboxing. Many exploit kits exploit weaknesses in the browser and plugins like Java, Flash and Silverlight to run Ransomware on the endpoint. Other attack vectors can be found in malicious documents, or simply from tricking the user into running malware thorough worms found in many popular websites, such as Facebook. Sandboxing allows you to safely contain such web threats and isolate any malicious activity, without restricting your people.

Fight back with Defendpoint

Defendpoint allows you to take a proactive stance in safeguarding the endpoint against advanced attacks like Cryptolocker. The evolution of malware means they can regularly evade detection by firewalls, network sandboxes and anti-virus technologies, leading to devastation on the endpoint.

Defendpoint layers additional defenses on the endpoint using a unique combination of Privilege Management, Application Control and Sandboxing technology to safeguard users and their data. This powerful combination allows Defendpoint to secure the endpoint against the widest range of attacks, without reducing usability or impacting on productivity.