11 things you can do to protect against ransomware, including Cryptolocker

Ransomware is malicious software that cyber criminals use to hold your computer or computer files for ransom, demanding payment from you to get them back. Sadly, ransomware is becoming an increasingly popular way for malware authors to extort money from companies and consumers alike. There is a variety of ransomware can get onto a person’s machine, but as always, those techniques either boil down to social engineering tactics or using software vulnerabilities to silently install on a victim’s machine.

Why is Cryptolocker so noteworthy?

One specific ransomware threat that has been in the news a lot lately is Cryptolocker (detected by ESET as Win32/Filecoder -check the ESET Knowledge Base for updated information on detection of Cryptolocker and other ransomware). The perpetrators of Cryptolocker have been emailing it to huge numbers of people, targeting particularly the US and UK. Like a notorious criminal, this malware has been associated with a variety of other bad actors – backdoor Trojans, downloaders, spammers, password-stealers, ad-clickers and the like. Cryptolocker may come on its own (often by email) or by way of a backdoor or downloader, brought along as an additional component.

You may wonder why the big fuss over this one particular ransomware family – in essence, it is because Cryptolocker’s authors have been both nimble and persistent. There has been a concerted effort to pump out new variants, keeping up with changes in protection technology, and targeting different groups over time.

Since the beginning of September, the malware authors have sent waves of spam emails targeting different groups. Most of the targeted groups have been in the US and the UK, but there is no geographical limit on who can be affected, and plenty of people outside of either country have been hit. Initially emails were targeting home users, then small to medium businesses, and now they are going for enterprises as well.

The malware also spreads via RDP ports that have been left open to the Internet, as well as by email. Cryptolocker can also affect a user’s files that are on drives that are “mapped”, which is to say, they have been given a drive letter (e.g. D:, E:, F: ). This could be an external hard-drive including USB thumb drives, or it could be a folder on the network or in the Cloud. If you have, say, your Dropbox folder mapped locally, it can encrypt those files as well.

At this point, tens of thousands of machines have been affected, though it is estimated that the criminals have sent millions of emails. Hopefully the remainder of recipients simply deleted the malicious emails without opening them, rather than them sitting unopened, waiting to unleash more pain.

Those people that have been affected have had a large number of their files encrypted. These files are primarily popular data formats, files you would open with a program (like Microsoft Office, Adobe programs, iTunes or other music players, or photo viewers). The malware authors use two types of encryption: The files themselves are protected with 256-bit AES encryption. The keys generated by this first encryption process are then protected with 2048-bit RSA encryption, and the malware author keeps the private key that would allow both the keys on the user’s machine and the files they protect, to be decrypted. The decryption key cannot be brute-forced, or gathered from the affected computer’s memory. The criminals are the only ones who ostensibly have the private key.

What can you do about it?

On the one hand, ransomware can be very scary – the encrypted files can essentially be considered damaged beyond repair. But if you have properly prepared your system, it is really nothing more than a nuisance. Here are a few tips that will help you keep ransomware from wrecking your day:

1. Back up your data
The single biggest thing that will defeat ransomware is having a regularly updated backup. If you are attacked with ransomware you may lose that document you started earlier this morning, but if you can restore your system to an earlier snapshot or clean up your machine and restore your other lost documents from backup, you can rest easy. Remember that Cryptolocker will also encrypt files on drives that are mapped. This includes any external drives such as a USB thumb drive, as well as any network or cloud file stores that you have assigned a drive letter. So, what you need is a regular backup regimen, to an external drive or backup service, one that is not assigned a drive letter or is disconnected when it is not doing backup.

The next three tips are meant to deal with how Cryptolocker has been behaving – this may not be the case forever, but these tips can help increase your overall security in small ways that help prevent against a number of different common malware techniques.

2. Show hidden file-extensions
One way that Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions. If you re-enable the ability to see the full file-extension, it can be easier to spot suspicious files.

3. Filter EXEs in email
If your gateway mail scanner has the ability to filter files by extension, you may wish to deny mails sent with “.EXE” files, or to deny mails sent with files that have two file extensions, the last one being executable (“*.*.EXE” files, in filter-speak). If you do legitimately need to exchange executable files within your environment and are denying emails with “.EXE” files, you can do so with ZIP files (password-protected, of course) or via cloud services.

4. Disable files running from AppData/LocalAppData folders
You can create rules within Windows or with Intrusion Prevention Software, to disallow a particular, notable behavior used by Cryptolocker, which is to run its executable from the App Data or Local App Data folders. If (for some reason) you have legitimate software that you know is set to run not from the usual Program Files area but the App Data area, you will need to exclude it from this rule.

5. Use the Cryptolocker Prevention Kit
The Cryptolocker Prevention Kit is a tool created by Third Tier that automates the process of making a Group Policy to disable files running from the App Data and Local App Data folders, as well as disabling executable files from running from the Temp directory of various unzipping utilities. This tool is updated as new techniques are discovered for Cryptolocker, so you will want to check in periodically to make sure you have the latest version. If you need to create exemptions to these rules, they provide this document that explains that process.

6. Disable RDP
The Cryptolocker/Filecoder malware often accesses target machines using Remote Desktop Protocol (RDP), a Windows utility that allows others to access your desktop remotely. If you do not require the use of RDP, you can disable RDP to protect your machine from Filecoder and other RDP exploits. For instructions to do so, visit the appropriate Microsoft Knowledge Base article below:

7. Patch or Update your software
These next two tips are more general malware-related advice, which applies equally to Cryptolocker as to any malware threat. Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto your system. It can significantly decrease the potential for ransomware-pain if you make a practice of updating your software often. Some vendors release security updates on a regular basis (Microsoft and Adobe both use the second Tuesday of the month), but there are often “out-of-band” or unscheduled updates in case of emergency. Enable automatic updates if you can, or go directly to the software vendor’s website, as malware authors like to disguise their creations as software update notifications too.

8. Use a reputable security suite
It is always a good idea to have both anti-malware software and a software firewall to help you identify threats or suspicious behavior. Malware authors frequently send out new variants, to try to avoid detection, so this is why it is important to have both layers of protection. And at this point, most malware relies on remote instructions to carry out their misdeeds. If you run across a ransomware variant that is so new that it gets past anti-malware software, it may still be caught by a firewall when it attempts to connect with its Command and Control (C&C) server to receive instructions for encrypting your files.

If you find yourself in a position where you have already run a ransomware file without having performed any of the previous precautions, your options are quite a bit more limited. But all may not be lost. There are a few things you can do that might help mitigate the damage, particularly if the ransomware in question is Cryptolocker:

9. Disconnect from WiFi or unplug from the network immediately
If you run a file that you suspect may be ransomware, but you have not yet seen the characteristic ransomware screen, if you act very quickly you might be able to stop communication with the C&C server before it finish encrypting your files. If you disconnect yourself from the network immediately (have I stressed enough that this must be done right away?), you might mitigate the damage. It takes some time to encrypt all your files, so you may be able to stop it before it succeeds in garbling them all. This technique is definitely not foolproof, and you might not be sufficiently lucky or be able to move more quickly than the malware, but disconnecting from the network may be better than doing nothing.

10. Use System Restore to get back to a known-clean state
If you have System Restore enabled on your Windows machine, you might be able to take your system back to a known-clean state. But, again, you have to out-smart the malware. Newer versions of Cryptolocker can have the ability to delete “Shadow” files from System Restore, which means those files will not be there when you try to to replace your malware-damaged versions. Cryptolocker will start the deletion process whenever an executable file is run, so you will need to move very quickly as executables may be started as part of an automated process. That is to say, executable files may be run without you knowing, as a normal part of your Windows system’s operation.

11. Set the BIOS clock back
Cryptolocker has a payment timer that is generally set to 72 hours, after which time the price for your decryption key goes up significantly. (The price may vary as Bitcoin has a fairly volatile value. At the time of writing the initial price was .5 Bitcoin or $300, which then goes up to 4 Bitcoin) You can “beat the clock” somewhat, by setting the BIOS clock back to a time before the 72 hour window is up. I give this advice reluctantly, as all it can do is keep you from having to pay the higher price, and we strongly advise that you do not pay the ransom. Paying the criminals may get your data back, but there have been plenty of cases where the decryption key never arrived or where it failed to properly decrypt the files. Plus, it encourages criminal behavior! Ransoming anything is not a legitimate business practice, and the malware authors are under no obligation to do as promised – they can take your money and provide nothing in return, because there is no backlash if the criminals fail to deliver.

Further information

If you are an ESET customer and are concerned about ransomware protection or think you have been targeted by ransomware, call the customer care number for your country/region. They will have the latest details on how to prevent and remediate ransomware attacks.

In addition, there are several We Live Security articles that provide more information on this threat, see: Filecoder: Holding your data to ransom and Remote Desktop (RDP) Hacking 101: I can see your desktop from here! For an audio explanation of, and historical perspective on, the topic of ransomware, listen to Aryeh Goretsky’s recent podcast on the subject: Ransomware 101.

Finally, it should be noted that the recent rash of ransomware attacks has generated a lot of breathless news coverage, mainly because it is a departure from previous trends in financially motivated malware (which tended to be stealthy and thus not data-damaging). Ransomware can certainly be frightening, but there are many benign problems that can cause just as much destruction. That is why it has always been, and always will be, best practice to protect yourself against data loss with regular backups. That way, no matter what happens, you will be able to restart your digital life quickly. It is my hope that if anything good can come out of this ransomware trend, it is an understanding of an importance of performing regular, frequent backups to protect our valuable data.

Author , ESET

  • Carlo Piana

    Never heard more nonsense. GNU/Linux is totally immune from .exe virus. Not even mentioning it seems totally rubbish, while it should be the first advice against any virus. Sorry.

    • I’m not sure I understand. Are you saying that Windows users should switch to Linux in order to avoid malware?

    • luke

      Because its too obvious to mention?

      Why not berate the author for not saying ‘switch to MacOS?’

    • lnxliz

      The author clearly doesn’t understand the UNIX/Linux OS.

      • I’m not the author, but I’m confused as to where these comments about Linux are coming from. The article isn’t about Linux.

        • David

          What about reverse lookup? Certainly is a simple method to deter unwanted spoofed email.

  • Gareth

    The thing is, if Linux Desktop become popular it would also get Viruses; This has started happening with Mac OS X.

    • Edward Rex

      Mac OS X viri exist, as do Linux viri, And Catholic Nuns get STDs just like Hookers. But don’t delude yourself about the rate of infection.

      • Lou

        “Nuns get STDs just like Hookers” – that is hilarious! You just made my day.

        • MOST nuns never connect to the Internet…if you get my analogy right.

          • bveni mutiro

            hahaha…this made my week,,if not year

  • bikeamtn

    Nice article, had more details and advice than others I’ve read (attention to mapped-drives and securing port vulnerability, with the latter always of concern).
    Additionally; most web-email portals will allow (right-click) ‘Open Email Source Header’ without opening the actual email. This allows for inspection and sender mail-route DNS-IP verification, quickly using a WHOIS lookup. In the past, such fraudulent emails were goofy looking but today the underworld has become better at doing bad.

    Question: Does ‘User Rights’ have any part in this? Could payload execution complete even with Guest-User logon lets say?

    • Adam Brown

      Granting any rights to run executables or scripts opens the way for payload delivery, but users without delete access to files can’t encrypt anything. They also can’t save their work.

  • Ronald Choi

    Somewhat late but want to point out that Set the BIOS clock back does NOT work. They store the private key on a private server which will be deleted after certain amount of time

  • David Potter

    This is yet another headache that makes my phone ring.
    Yes it is a small income for me when I help people restore their machines as it often takes a re-format to recover completely, but I am always wary.
    There are, in my opinion, Two types of computer users, those who back-up their data and those who wish they had backed-up their data….

  • Oren Paz

    Here is something many (none I’ve seen, in fact) fail to add, and I would even start with, to protect against Ransomware (especially for organizations, but also for individuals): FILE-LEVEL ENCRYPTION.
    The worst impact of ransomware, assuming you regularly and frequently and appropriately backup your data, is not having the file inaccessible/readable – you have the backup to recover from that, or even if not – in many cases you could redo your work (not fun, I know, not cheap sometimes, I know, not even possible sometimes – I know, but if you do have backup – it is trivial), but what you cannot recover, and would almost always be more detrimental (when the file in question contained sensitive or even outright confidential information) is confidentiality – having the attacker know your sensitive information (like bank info, medical info, client info, proprietary Intellectual Property, Etc.), and you cannot recover the trust your clients would lose in your ability to provide them safe and reliable information related services.
    This could very well be the most expensive (direct cost in fines or contract violation costs, but also indirect costs – loss of revenue from loss of consumer trust or even loss of license to provide these services for which the data was compromised).
    Using file-level encryption is the only way to essentially fight back against the attacker using their own approach – if they can’t read what they hijacked, and if you can easily recover that information, then their attack is fruitless other than the hassle it causes to restore from backup (and encrypt any files you want protected).
    Live long and prosper!…

    • Greg Kutzbach

      If I follow your line of thinking, you believe that if you had your own file level encryption set up (such as bitlocker) then you would be in better shape.

      I belive you’re off the mark a bit. If the ransomware program is running under an account that can read and open the files, then that means the files are currently decrypted (or able to be natively decrypted). In this case, if the attack wanted to both steal a copy of the files AND layer on its own encryption, it very well could.

      File level encryption on your end is only going to protect the system from thievery when the files are inaccessible. Examples of inaccessible files are another user’s profile files, a turned off laptop, direct access to a hard drive, etc.

  • Roars

    i had wandered if your HD was already Encrypted with something like file vault or something else could it encrypt over the previous encryption or would Encrypting your HD prevent them from doing it.

    • Yussef Ibn la ahad

      of course it can. why couldn’t it be?

    • Adam Brown

      Whole disk encryption doesn’t prevent files from being encrypted individually, so this would not be a good solution to the problem. Having individual files encrypted won’t keep them from being encrypted again, either. Setting permissions to deny delete operations will stop ransomware, but introduces new problems, for instance, updating and saving a file uses the delete action, so you would end up with two copies of the file.

  • Roars

    how does it Encrypt everything without permission. from say the admin

    • Spark

      It will encrypt anything it can get access to. Once encrypted it doesn’t matter what rights you have to the file. The file will be pure gibberish unless you have the private key to decrypt. To understand more fully just research public key encryption.

    • stavian

      @disqus_ETGdxHfTvo:disqus Generally people give it persmision, the same way the install it without knowing. you can get more here https://www.antivirustalk. com/how-to-prevent-ransomware/

    • krim zone

      could try limited user accounts.. on top of admin account?

  • rubyangel

    I have never felt comfortable allowing anyone to Remote Access my computer. That’s always the first thing I disable.

  • John Powers

    Use Sandboxie(or any sandbox program) to protect your browser and email program from malware including ransomware..
    Sandboxie treats all software as un- trusted and contains all files within the sandbox when closed.

  • Khalid Eid

    I have Server Windows 2012 All important files encrypt by RANSOMWARE
    Who can help?

  • tsandco

    Why not disable the ability to encrypt files on you pc?

    Windows and apple needs to make encryption an “off or on” switch on you pc.

    • cornz

      You don’t quite understand how ransomware works..

      • tsandco

        Perhaps, but pc/laptop vendor could solve this issue.

        Whether ransomware’s encryption uses the computers ability to encrypt, or the virus encrypts, would’t matter if the file structure was designed to prevent encryption.

        During installation, and configurable later, the user should be asked if they want to encrypt their files

        My 76 you father didn’t need/want the ability to encrypt his pictures and email.

        Unfortunately the ransomware email did it for him. This included his pc pics of his grandkids and included the 2 external backup HD that were connected to his pc. He refused to pay 600 bit coins to fix.

        • cornz

          You STILL don’t understand either encryption, file systemsor, more fundamentally, computer hardware. Look, the file system is irrelevant. The computer has to read the data, encrypted or not. IF its encrypted, it MUST be decrypted for the computer/user to understand it. The INSTANT its held in RAM in a decrypted state, the virus, malware. ransomware or whatever would THEN encrypt it with a different system. At that point your data is lost. File systems cannot and will not ever defeat ransomware.

    • Sheila Doyle

      can’t this be done by simply restricting deletes on all important files?

  • Mr. Billy

    An apparently simple method I’ve thought of to defend files in cloud services like OneDrive, Google Drive, DropBox, etc, would be to enable an optional feature to simply ask the user’s permission to upload to the cloud, using an interactive dialog box. This dialog box should also notify as to how many files are in the queue for upload to the cloud. As things currently operate, if Ransomware scrambles files in a local cloud service folder on a PC, the scrambled files automatically get uploaded to the cloud, and from there are downloaded to all other connected PCs. It would take a pretty clever Ransomware attack to be able to to click OK on the dialog box and then proceed to corrupt the files in the cloud. A paranoid option could ask for 2 factor authentication before upload.

    From the user’s point of view, a request to upload that pops up immediately following something they did in the folder, and for a number of files that seems reasonable with respect to what was done (edits, copies, etc) – such a request can be deemed as innocent and receive an immediate OK. If, however, a dialog box pops up out of nowhere, and with a request to upload numerous files, then alarm bells should go off in the user’s head and an option should be available in the same dialog box to immediately unlink the local folder from the cloud in order to protect it.

    Such a feature would be something cloud providers can implement. Hopefully one of them will pick up the gauntlet and try this idea out. It is, of course, not foolproof and requires the user to be aware of what’s going on and use common sense, but it’s certainly better than nothing, which is the situation at the moment. There are many other similar warnings already being issued automatically, against opening files from unknown sources etc, and this would be yet another such warning, but it would provide a form of defense which at the moment is nonexistent.

    By the way… I’ve already implemented a primitive version of this idea in Evernote. I’ve simply turned off all forms of automatic sync to the Evernote cloud from all connected PCs. I then have to manually sync anything I add and I do this only if I’m pretty sure, at any given moment, that the PC has not been compromised.

  • Timothy Takemoto

    Is there some sort of weird character string that I could put in my data folde rname that might prevent the thing from encrypting it?

  • Matt

    I’ve been working on a Honeypot/Tripwire system to reduce the spread on a file server, the source for this system is available at https://github.com/mattyesit/cryptohoneypot

    Still need to make a more efficient design, however this system creates a folder called 0_Honeypot with sample data that can be encrypted, once the system discovers that a file has had a change (within 0.5 seconds) it will stop the server service preventing any further changes to files. The reason for the 0_Honeypot is that it should sit as the first folder in any share, with the ransomware targeting in alphabetical order.

    Any contributions would be appreciated :)

  • Roland Giesler

    It has been a while, but the problem is still very much around, so I have a question.

    In the article it is stated: “The malware also spreads via RDP ports that have been left open to the Internet,” Please elaborate on that. As far as I can tell, RDP in itself does not have a known exploitable vulnerability. So unless someone can do a MitM attack from the LAN on which an RDP machines sits, it has to be a password hack either through brute force (easily prevented by strong passwords), social engineering, by conning a user to enter their password into a phishing site or some other means.

    Just having RDP open, does not mean that the ransomware will be uploaded or executed via this. Am I right?

    • Adam Brown

      No, but RDP ports on the internet is an open/no time limit invitation for hackers to try cracking your admin passwords. If any username/password is weak or easily guessed, you’ll be in big trouble. If you need RDP access on the net, protect it with RD gateway using an internal CA certificate.

  • Yussef Ibn la ahad

    exactly ppl who loose their files I won’t pity them it’s their fault entirely… their storage media whatever it is is BOUND to fail anyway

  • Cap’_’n dread

    Computers should all come with a “NUKE” button so that you can kill everything that happened since last start up, or last update. I have an old laptop and i want to install Wana Decrypt0r 2 and see it all happen in front of me and find out more about this scumbag software code, trouble is, i cannot find it anywhere?, seems i should go get a job at NHS or Toyota for that

  • Cap’_’n dread

    damn disqus i cannot post on here

  • This is what tech support people are doing. and have been doing. The f**king business :(

  • Very helpful information indeed. Thanks for sharing it with us Lysa..

Follow us

Copyright © 2018 ESET, All Rights Reserved.