Cryptolocker: Everything You Need to Know | Antivirus

What is CryptoLocker?

CryptoLocker is a malware now well known for the massive damage it can inflict on any data-centric organization.

Once the code is executed, it encrypts files on computers and network shares and "holds them hostage", demanding ransom from any user who attempts to open the file, in exchange for decrypting the file. This is the reason why CryptoLockers and its variants are now known as “ransomware”.

Malware such as CryptoLocker can infiltrate a network protected by many vectors such as email, file sharing sites, and downloads.

New variants have escaped antivirus and firewall technologies, and we can reasonably expect new ones to emerge that will be able to bypass preventative measures. In addition to limiting the scope of damage from an infected host by tightening access controls, the next line of defense is to put in place detection and remediation systems.

Update September 2018: Ransomware attacks have declined significantly from their peak in 2017. CryptoLocker and its variants are no longer widely distributed and new ransomware has taken over. Ransomware has evolved from its previous large-scale distribution model into a targeted attack today. Nonetheless, it remains a threat to businesses and government agencies.

How to Fight a CryptoLocker

The more files a user account has access to, the greater the potential damage. It is therefore prudent to restrict access as this will limit the scope of items that can be encrypted. Aside from providing a line of defense against malware, it will reduce the potential exposure to further attacks from internal and external actors.

Even if the adoption of a  least privilege model time consuming, you can quickly reduce exposure by removing unnecessary global access groups from ACLs. Used on data containers (such as folders and SharePoint sites), groups such as “All”, “Authenticated Users”, and “Domain Users” can expose entire hierarchies to all users in an organization. Not only are these exposed datasets easy targets for thieves and malicious users, but they are also highly susceptible to damage in an attack. On file servers, these folders are known as "open shares" if the file system and share rights are accessible through the global access group.

Although it is easier to use technologies designed specifically to find and eliminate global access groups, it is possible to locate open shares by creating a user who does not belong to any group and using the rights of the group. 'access this account to "scan" the file-sharing environment. For example, even basic net commands run from a Windows cmd shell can be used to list and test the accessibility of shares:

• net view (lists nearby hosts)
• net view \\host (lists the shares)
• net use X: \\host\share (maps a disk to the share)
• dir /s (lists all files that the user can read in the share)

These commands can easily be combined into a grouped script to identify folders and files that are accessible to a large number of people.

Unfortunately, solving this problem without resorting to automation can be time-consuming and risky, and if you are not careful, it can affect day-to-day business operations.

If you discover a large number of accessible records, consider using an automated solution. Automated solutions can also help you go beyond simply eliminating global access, and enable you to implement a true least privilege model while at the same time eliminating inefficient manual management of access control.

Ransomware Security Tips

• Update your antivirus and endpoint protection software - these solutions can help detect certain types of ransomware and prevent them from encrypting your files.
• Avoid being fooled by phishing attacks  - phishing emails are the main vector of ransomware spread.
• Keep backups of your documents - it's much easier and faster to recover your documents from a backup than to decrypt them if you've been the victim of a ransomware attack.
• Adopt a zero-trust / least privilege model - ransomware can only infect folders a user can write to. The least privilege model limits this access to what is absolutely necessary.
• Monitor file activity and user behavior to detect, report, and deal with any potential ransomware activity.

New ransomware variants keep appearing - our team of security experts do their work for you and quickly update ransomware signatures detected by Varonis. See for yourself how it works in a free one-on-one demo and learn how our ransomware defense architecture protects corporate data from zero-day attacks beyond the endpoint - thereby intercepting ransomware as well as traditional security in the world. perimeter does not even see.