We found the best solution
The entire support team at Technica were seeing a lot of malware-related spam e-mails at client sites, claiming to come from a fairly narrow set of senders (HMRC was the common one) and all containing a .zip attachment that the recipient was encouraged to open.
The file could be run even without admin privileges and was capable of encrypting local and networked data, causing severe disruption necessitating a restore of all encrypted data – not such a problem for those clients backing up every few minutes but a potential headache for those still running nightly backup jobs.
We sent out an amended ‘best practices’ mailshot to make sure all clients were aware of the mass of CryptoLocker mails out there and also temporarily blocked receipt of .zip files and revised group policy at some clients so that executables couldn’t be run from the standard CryptoLocker file location. Both solutions blocked CryptoLocker, but also stopped receipt of even genuine .zip files or other software that launched from the same location, such as Skype or the Chrome browser.
GFI’s Mail Essentials with built in AV was easily configured to remove the executable files from .zip files, and could also be configured to remove the attachment or entire email.
Collaborating with GFI and providing them with feedback on how the AV add-on was handling the malicious mail was great. We ended up contributing to the article and raising knowledge and awareness of the solution worldwide.
Read the full article below by Christina Goggi of GFI.
CryptoLocker: Ransomware Back with Vengeance?
The CryptoLocker Virus is a nasty piece of malware doing the rounds that encrypts files on a victim’s computer and issues an ultimatum: Pay up or lose your data. CryptoLocker’s raison d’être is to literally extract a ransom from its victims, which is why malware of its type is also known as “ransomware”.
Among others, the malware is spread through emails purporting to be from some well-known brands, and there are reports that the malware could also come as an attachment in emails which look like voicemail messages, but which are obviously fake. When you click on the attachment, CrypoLocker installs itself on your computer, takes a look at what you have on your hard drive (as well as mapped network drives), encrypts a variety of important file types such as photos and documents, and then begins its ‘negotiations’.
A pop-up window with a 100-hour countdown begins and you’re given details how to pay the ransom, which typically ranges between $100 and $700.
Now this is where it becomes nasty. If the money is paid before the timer is up, a key is supplied to decrypt the files. If payment is not made, the key is destroyed and those files are lost forever. Encryption technology such as that used by CryptoLocker is specifically designed such that encrypted data cannot be recovered unless the required key is available, so if the creators behind CryptoLocker are really destroying the keys when the ransom is not paid, then the distinct possibility exists that the data is really lost forever – even if the authors of CryptoLocker are eventually caught.
The good news (thus far) is that if the victim pays the ransom, the files are actually decrypted, even though glitches with the decryption have been reported too. Meanwhile, the cyber crooks take the cash and run.
CryptoLocker is billed as one of the most dangerous pieces of ransomware to appear, so what can you do to prevent it from infecting machines and, more importantly, not lose your precious data?
It is highly recommended that you have antivirus software installed and make sure that the product also scans your emails for malicious files and malware. If you’re a sys admin, it’s worth investing in an email security product that trumps desktop AV in one very important area: the number of AV engines that protect your systems.
A number of reports from the field, including our technology partners Technica Solutions, indicate that there are third-party products that are not catching all the variants of CryptoLocker. Using multiple AV engines is one way of mitigating this risk – this way you leverage the efforts of multiple independent AV labs, you get protection from the lab which delivers it first (which can vary), and you stand a better chance of at least one of the AV engines nailing CryptoLocker before it causes any damage.
Alex Cachia, director of engineering at GFI®, has some very good and timely advice:
“Gone are the days when we were dealing with script kiddies who were out for some ‘fun’, with all the trouble they caused simply being collateral damage. We are now dealing with cybercriminals who have the technical knowledge, the resources and, above all, a financial incentive, to bypass security and infect victim’s machines. The CryptoLocker Virus is a perfect example of a piece of malware that can cause so many problems.”
He adds: “We recommend the use of multiple AV engines, and not to depend on the single AV engine on the desktop. If the latter fails to catch the problem, you’re in trouble. One of our customers using GFI MailEssentials®with its EmailSecurity module enabled nabbed CryptoLocker thanks to two AV engines blocking it. Others who did not have GFI MailEssentials were not so lucky – and if you’re running GFI MailEssentials with the Anti-Spam module only enabled, it is high time to enable the EmailSecurity module.”
Alex also recommends that companies make sure they have backups that are up-to-date (and tested) and to tell their employees to be vigilant when opening files and clicking on links.
“If a link or a file looks suspicious, flag it to your sys admin. It may be a healthy file, but it could be CryptoLocker. And you don’t want to be the poor guy who triggered CryptoLocker at your workplace” Alex suggests.