Cryptolocker Prevention – How to secure your server environment

The main topic of this blog post is about Cryptolocker prevention. We go over the best practices on how to secure your domain and computers against this crypto-ransomware, what should you do if it hits your system, and how to beat it.

Introduction

Cryptolocker is type of crypto-ransomware Trojan that hit the Internet in September, 2013.

It’s a type of ransomware that attacks Windows OS and encrypts all non-executable files on your computer. It prompts that you have 72 hours to pay the ransom of around $300 to get your data decrypted.

When it was first released, it was a game-changer.

It’s special because it also attacks local and mapped network drives, making it one of the most sinister and malicious Trojans ever developed.

The other thing that makes it infamous is the fact that you are asked to pay the ransom in cryptocurrencies, such as BitCoin (there were cases where people were asked to make the payment in MonkeyPak or Ukash prepaid cards), making the transaction untraceable.

Brief history crypto-ransomware

The idea of crypto-ransomware isn’t new. The first man to come up with the idea in the 1990s was Moti Young, a cryptography researcher from Columbia University.

Now, since it’s a well-known fact that criminals read science journals and IT research papers . . . (of course not—I’m kidding) that whole Cryptolocker story went unnoticed for almost twenty years.

Then, around 2000, predecessors of Cryptolocker appeared, but they weren’t nearly as successful and sophisticated as the Cryptolocker from 2013. One such crypto-virus was the CryZip.

Today, other more modern variants of this crypto-ransomware can be in the form of various browser pop-ups and add-ons or even hidden in background images on certain malicious websites. (Note: not just on malicious or shady websites. There were cases where the attackers used HTML and JavaScript injections to infiltrate an ordinary website and exploit its security weaknesses.)

There are also many so-called Cryptolocker copycats. Also, with their increase in numbers, the cryptolocker prevention awareness has risen in past few years.

How does Cryptolocker work?

The original Cryptolocker, which appeared four years ago, circulated as social engineering via email attachments that contained an .exe file.

Once you click on it, it automatically installs itself on your computer or serves you with a link that instructs you to use Tor browser to download something.

Once it is installed on your computer, every time you start your computer, the Cryptolocker runs two parallel processes—the first one is in charge of encrypting the data, and the other one runs in the background and prevents you from shutting down the malware.

However, once it starts encrypting files, removing it is the least of your problems. In fact, deleting the Cryptolocker is easy—decrypting your data is the hard part.

Why you can’t brute-force decryption

The Cryptolocker encrypts data via AES-128 ciphers, after which the ransomware encrypts a random key using RSA keys (1024 or, most commonly, the 2048-bit keys). There’s no way to break the RSA or AES encryption without a decryption key.

To retrieve the private/public keys, the ransomware contacts the hacker’s command and control servers (C&C servers—computers that issue commands to members of botnet). If you don’t find a way to stop it, all files, except the .exe files, get overwritten.

Then you get hit with a DECRYPT_INSTRUCTION.txt file, with instructions on how to retrieve your data and what amount to pay, and then the clock starts ticking. You have 72 hours.

And, no, it’s not just a random clock. When the time runs out, the Cryptolocker deletes itself from your system, but you’re still left with encrypted documents forever, and now there’s nothing you can do to retrieve them.

There have been some suggestions that if you change the time in BIOS that it will give you additional time; however, the hackers have leveled up and now it only adds time to the ticking clock.

Pay up or restore your files from backup?

You didn’t implement cryptolocker prevention measures, and now you say:

We don’t negotiate with terrorists.

Well . . . you might have no choice if you haven’t backed up your data recently. Then, to tell you the truth, you are toast. And that’s putting it mildly.

If you decide to pay up, it may be even up to two weeks or more before the hackers contact you and start the decryption. Note that the decryption takes a while. According to experiences that victims post and share on various forums, it takes 5 GB per hour to decrypt the data.

Beware that when Cryptolocker starts decrypting the data, it will retrieve your files only if you haven’t deleted, moved, or renamed any of the encrypted files. Cryptolocker uses the registry to maintain a list of all your files and paths, but if you have moved them, tough luck—the whole decryption process will be put on hold if the virus can’t find the missing file.

Cryptolocker prevention best practices

Cryptolocker prevention methods should be a number-one priority because crypto-ransomware causes unrepairable havoc for businesses using file share collaboration systems.

BACKUP, BACKUP AND BACKUP EVERYTHING!

It’s recommended you use cloud storage backup, where you can restore previous versions of your files. This way is the safest. Another best practice is to keep your backups separated.

I know it sounds silly for even having to mention this, but picture this:

You come to work one day and start the migration as planned, and, in the process, you are hit with a Cryptolocker, and you realize you have no proper backup THEN, this realization will hit you like a ton of bricks.

If you don’t have a backup or it was compromised, the only solution you’re left with is to wipe your hard disks clean and start over (oh and you’ll probably get fired for being a system admin that let a ransomware wreak havoc on corporate servers).

DON’T OPEN EMAILS WITH SHADY CONTENT AND .EXE ATTACHMENTS

Educate users about various types of malware. Turn their attention toward the consequences of randomly running a nonspecific .exe file they’ve received via email. This includes strange invoices and Word documents in the email attachments—this is how the newer type of Cryptolocker, Locky, gets into your system.

Also, it might be a good idea to monitor all ZIP files that go through the email or even to block ZIP files on firewall.

MONITOR SERVERS

At all times, monitor your servers and be aware of what’s going on in the server environment.

By noticing that your CPU is hitting 100 % all day or that your file share servers are experiencing a heavy load for no apparent reason or any other out-of-the-norm behavior—react right away so you don’t end up in the full file server restore nightmare.

Check out the honeypot scenario:

If you’re more experienced, you can set up honeypot files across your file share and monitor them for checksum changes.

DISABLE HIDDEN FILE EXTENSIONS IN WINDOWS

For Cryptolocker prevention, it’s best to disable hidden file extensions in Windows.

Navigate to My Computer > Tools > File Options > View > uncheck the Hide file extensions for known file types option > click Apply to all folders > click Apply > Apply > OK.

SET UP RESTRICTION POLICIES

Set up restriction policies to disable the execution of any .exe files from AppData/Roaming. These extensions are as follows:

%AppData%\*\*.exe

%userprofile%\*.exe

MANAGE PERMISSIONS

Since it crawls everything on your system—even the network drive and anything to which an infected user has access to—check who has which permissions, and find out whether certain users have the right level of permissions. It’s also good to restrict the read and write permissions; that way, if there should ever be an attack, it won’t spread everywhere.

Not everyone in the company should have admin privileges—be very wary of to whom you are assigning them.

Note:

When your system is hit with a Cryptolocker, you will want to know ASAP which of your users ran the malicious .exe. Find the previously mentioned DECRYPT_INSTRUCTIONS.txt or INSTRUCTIONS.txt that the hackers put in each encrypted folder. Go to Properties, and check who the author is of that document. This is how you track where the infection began.

PATCH YOUR SERVERS WITH THE LATEST UPDATES

For Cryptolocker prevention or prevention from any malware, be sure to patch your servers with the latest and official updates.

TURN ON VERSIONING

This might interest SharePoint admins and it’s especially efficient for Cryptolocker prevention.

Turn on versioning so you can overwrite the encryption by restoring the files to a previous version. Note that you will have to do this manually, file by file—but, hey . . . at least it’s something. Turn on the versioning on cloud storages as well.

Refer to this article on how to enforce versioning on SharePoint.

SET UP A CRYPTOLOCKER CANARY

On Windows Server 2008 and onwards, you have the File Server Resource Manager, which will help you stay alert if any suspicious files are created.

  1. Open File Server Resource Manager.
  2. Navigate to File Screening Management.
  3. Right-click File Group and click Create New File Group.
  4. In the File group name, type in “Cryptolocker Canary” and under Files to Include type the following:

*.encrypted

*.locked

*.crypto

HELPDECRYPT.TXT

HELP_YOUR_FILES.TXT

HELP_TO_DECRYPT_YOUR_FILES.txt

RECOVERY_KEY.txt

HELP_RESTORE_FILES.txt

HELP_RECOVER_FILES.txt

HELP_TO_SAVE_FILES.txt

DecryptAllFiles.txt

DECRYPT_INSTRUCTIONS.TXT

INSTRUCCIONES_DESCIFRADO.TXT

Help_Decrypt.txt

DECRYPT_INSTRUCTION.TXT

HOW_TO_DECRYPT_FILES.TXT

HELP_TO_SAVE_FILES.txt

RECOVERY_FILES.txt

RECOVERY_FILE.TXT

RECOVERY_FILE*.txt

howrecover+*.txt

_how_recover.txt

  1. Click OK.

DECRYPTING THE DATA WITH THIRD-PARTY DECRYPTION TOOLS

If you do get hit, you can transfer your encrypted data to an external hard drive and look up whether that version of Cryptolocker has already been decrypted.

Since the original version of the Cryptolocker was taken down in 2014, there are now ways to retrieve data for some types of Cryptolocker encryptions because of the joint forces of the U.S. government and governments of certain European countries that managed to take down the bot servers and hacker network.

A tool to help you with the cryptolocker prevention

To help you monitor your servers, as well as assist you with most of these best practices and settings, we have SysKit!

Cryptolocker Prevention With SysKit

SysKit can help warn you that your system has contracted the Cryptolocker by auditing file access, detecting unusual files, alerting you about high CPU usage and disk activity on a particular server allowing you to react right away before the malware encrypts your entire file share. It also helps you check if there are any security updates missing from servers and install them to ensure that all servers are on the same patch level.

SysKit is a server monitoring and administration tool. It supports Windows Servers, Citrix XenApp, Remote Desktop Services, RD Gateways, and workstations. The tool tracks user activities, diagnoses server performance problems, and monitors application usage on your servers and workstations.

syskit-trial