Last week Casey Morgan wrote a post (cross-posted on Windows IT Pro) about ways to defend your PCs and storage from Cryptolocker. As we know from his post and others, antivirus software is not effective in foiling such attacks because it takes them too much time to isolate the problem and can grind your system to a halt.
After reading Casey’s post, I caught up with StorageCraft partner, Bill Hathaway of Intellicomp, who handles storage and other IT issues for over 25 different small businesses. Over the last several months, four of his clients were infected with Cryptolocker. One of them was an eye clinic that contracted Cryptolocker when an employee clicked on an email file supposedly containing a LinkedIn résumé attachment.
It was a typical phishing scenario:
They said they do get a fair amount of resumes, so to them it wasn’t unusual. But to me, if somebody sent me a resume like that, I wouldn’t hire that person because they weren’t referencing a specific job and it was worded so strangely.
Hathaway was able to get the clinic up and running over a weekend because the attack happened on a Friday afternoon, and he was able to dial back to one of its hourly incremental ShadowProtect backups, but the clinic lost about an hour’s worth of data.
They had to take their losses because there’s no way to save those files. [Cryptolocker] uses a high-grade encryption, and you can’t get [that data] back without the key, which would require them to pay the ransom through BitCoin to shady people.
Currently you can take preventive measures to avoid exposure from ransomware like Cryptolocker. A commenter on the Windows IT Pro site writes:
The most effective technique so far is to prevent executable files from running in the %APPDATA% space using either Software Restriction Policies or Applocker.
For mitigation, some people are putting canaries on the network – files that are monitored for changes likely caused by Cryptolocker.
The commenter then linked to a subreddit for an example of the latter.
DNS-based solutions also exist, and those of you running MSPs may want to consider checking them out—a quick Google search will yield a number of solid options for DNS-based security.
Cryptolocker is only the most publicized example of ransomware. I don’t think anyone with a brain expected it to be an isolated incident. Over the last month several news stories cropped up about similar Cryptolocker-style attacks on Android and iOS devices that hold your data captive.
Criminals are attacking feedly with a distributed denial of service attack (DDoS). The attacker is trying to extort money to make it stop. We refused to give in and are working with our network providers to mitigate the attack as best as we can.
Even if feedly is publicly standing its ground, chances are this ransomware strategy is paying off. I doubt any organization willing to pay out the ransom is about to publicize unless forced.
Given the increase in these types of attacks and the range of services they can impact, your best bet is to have a solid, image-based backup solution and to follow Hathaway’s dictum:
If you don’t expect it, don’t open it.
Photo Credit: Perspecsys photos via Flickr