Top Ways To Protect Yourself From CryptoLockers

What are CryptoLockers?

CryptoLockers are what is known as ‘ransomware’.  Their sole purpose is to extort money from businesses and individuals by encrypting accessible files and demanding a ransom for the decryption key.

Ransomware uses what is known as a ‘zero-day attack’, i.e. it takes advantage of the fact that traditional antivirus software is reactive and can take weeks from the discovery of a new virus to having reliable protection against it.  Ransomware authors exploit this by redesigning the code every time they send out an attack. CryptoLockers start by encrypting all local files on the infected PC and then move onto any mapped shares that may exist on network storage or servers.

How can CryptoLocker ransomware reach my network?

The vast majority of ransomware infections come via email.  To the untrained eye, the email will appear to be from a legitimate source – possibly from Australia Post/couriers services, ATO, Job applications or Flight confirmation emails – but it will actually be a forged email sent from a malicious sender.

How can I prevent a CryptoLocker infection?

No single method is 100% guaranteed to prevent CryptoLockers, but you can greatly reduce the threat by using inbound mail filtering to detect forged emails and stop them in their tracks.  Advanced Persistent Threat (APT) protection provided by a Unified Thread Management enabled Firewall will also increase your protection.  Antivirus vendors are constantly making inroads on detecting ransomware, so having a reputable antivirus solution that is kept up to date will prevent infections from older versions of ransomware.  In addition, make sure to train your users not to click on email links or open email attachments unless they are certain that the source is legitimate.

What can I do now to minimise the risk posed by a future CryptoLocker infection?

You need to make sure you can recover in the event of an infection.  It is critical to ensure your data is backed up at least daily and verified regularly, ideally snapshots taken on an hourly or half hourly basis will ensure minimal data loss.

Files can only be encrypted by ransomware if the user account has permissions to alter them.  Wherever possible, ensure users only have access to the files that they need.  This will reduce the damage any CryptoLocker infection can cause.

What should I do in the event of a CryptoLocker infection?

Do not pay the attackers.  You are essentially dealing with a modern day pirate.  There is no guarantee that you will receive the decryption key or be able to decrypt the data if you pay a ransom.

The first course of action should be to identify the infected PC and remove it from the network and clean it, then perform a restore.  The sooner you halt the attack, the smaller the damage to your files and the lower the cost to your organisation as a whole.  If you have an IT department or IT provider, contact them immediately upon discovering an infection.  They will be best equipped to help you identify the source and minimise the damage as well as restore your files from backup.