I work hard to keep our home systems malware-free and safe.
That typically involves talking about good Windows end-user behavior with Alvis and Lavie, letting them know about various breaking threats, running a AV/AM product, installing advanced protection afforded by Microsoft's EMET v 4.0 on our home systems, making sure all Windows and third party browser plugins are kept updated, run backups, etc.
So generally, I don’t worry too much about viruses and malware…but this new CryptoLocker threat does have my nerves extra-edgy.
First, we don’t have 10 bitcoins sitting around to pony up for a decryption. Most home\SOHO Windows users probably don’t either. Note this price has gone up from the previous 2 bitcoin expense.
- CryptoLocker developers charge 10 bitcoins to use new Decryption Service - Bleeping Computer News
Secondly, it seems to work primarily on social-engineering and spear-fishing techniques (for now) to trick a user into opening a payload delivered by email. While I can have pretty good confidence in software defense-in-depth security practices, I never can trust the end-user (myself included) to be 100% dependable in catching this attack. I am my own weakest link.
Lastly, although CryptoLocker primarily targets local drives, it will encrypt any targeted files on a network share if the shared folder is mapped as a drive letter rather than a UNC share. So if one person on a network gets infected, and has mapped drives via drive lettering, that could hose everyone! That’s scary bad.
So the first important step you can take is to educate yourself about the threat itself:
- How To Avoid CryptoLocker Ransomware — Krebs on Security
- CryptoLocker Ransomware Information Guide and FAQ - Bleeping Computer - Probably the current de-facto resource for all technical details on this threat. Updated frequently.
- CryptoLocker Is The Nastiest Malware Ever - Here's What You Can Do - MakeUseOf blog
- Cryptolocker Ransomware: What You Need To Know - Malwarebytes Unpacked
- You’re infected—if you want to see your data again, pay us $300 in Bitcoins - Ars Technica
At home, my immediate response was to deploy a special package maintained by Foolish IT LLC on ALL our personal Windows systems (including my Windows VM’s) that protects against this threat.
CryptoPrevent - free for personal and commercial deployment - Foolish IT LLC - current version at time of posting is 3.1 but that is certain to change. In both “portable” and installable versions.
Like any AV/AM vs. Security battle, it is a constant arms race of updates so if you go this method, check back frequently for new versions or pay the $ for the auto-updating version.
Just to illustrate the challenge, take a look at these posts from the developer to see how the tool has mutated to keep pace with the threat and customer’s needs.
- CryptoPrevent v2.0 just released with whitelisting capabilities!
- CryptoPrevent v2.1 - I just can't seem to win!
- CryptoPrevent v2.4 just released with internal update feature - please update!
- CryptoPrevent v2.5 - with a powerful new layer of protection introduced!
- CryptoPrevent v2.6 released - my life is consumed by this madness!
- CryptoPrevent v3.0 - Recycle Bin protection and a new optional AUTOMATIC UPDATE service!
For corporate locations, I learned about another solution via Brian Kreb’s post noted above. From that post:
A team of coders and administrators from enterprise consulting firm thirdtier.net have released the CryptoLocker Prevention Kit – a comprehensive set of group policies that can be used to block CryptoLocker infections across a domain. The set of instructions that accompanies this free toolkit is comprehensive and well documented, and the group policies appear to be quite effective.
Cryptolocker Prevention Kit (updated) - Spiceworks
Get protected now if you are a Windows user. Period.
It’s not worth dilly-dallying about.