Businesses offer best practices for escaping CryptoLocker hell

It is an IT nightmare: Businesses hit with the CryptoLocker malware find their electronic files locked up inside strong encryption and the extortionist operating the malware botnet demanding money to give them the security key that would let companies get their data back.

What do you do to escape this crypto hell of ransomware? A few corporations here detail their experiences with the nasty malware and say in many cases back-up and restoration was their only way out.

"My shop manager was trying to open a file and his computer kept coming up with an encryption error," says Chris Albrecht, officer manager at W.C. Machine & Tool, about the shock of finding out CryptoLocker had struck the metal fabrication and engineering firm he works at. "We tried other files on the network," including those in a storage server, but they, too, all appeared to be inaccessible. "It all came out of the blue."

What happened a couple of weeks ago at the Chandler, Ariz.,-based W.C. Machine & Tool is that someone there opened an e-mail with CryptoLocker in the attachment. The ransomware then aggressively spread to infect Windows-based computers and encrypt files wherever it could.

[MORE:CryptoLocker creators try to extort even more money from victims with new service

SECURITY NEWS:12 hot security start-ups to watch]

W.C. Machine & Tool immediately contacted its IT services provider, Mytek Network Solutions, and an account manager there, Theo Soumilas, says it was evident that tens of thousands of files were encrypted so W.C. Machine & Tool couldn't access them. At one point, there was some kind of extortion message asking for money in exchange for the encryption key, but nobody advocated going along with that.

The decision was made that it was necessary to basically "dump" the entire encrypted file contents and re-make the network file installation through back-up and restoration. W.C. Machine & Tool does daily back-up with its cloud provider, Axcient, and the restoration was completed over several hours one weekend.

Another Axcient customer, the Washington, Pa.-based law firm of Yablonski, Costello & Leckie, had a similar unsettling encounter with the CryptoLocker ransomware over the last few weeks, too.

As far as the law firm can discern, says attorney J. Scott Leckie,  it all started when another attorney for the firm was on his home computer, logged into the corporate network, and apparently opened an e-mail attachment containing CryptoLocker.

"All of a sudden his laptop went black," says Leckie. Then suddenly others at the law firm were locked out of their Windows-based computers, too. The law firm called its tech-services support firm, Ceeva, and "we said, something is wrong here, we don't know what," says Leckie.

CryptoLocker had struck once more, dodging Symantec anti-malware and spam filtering, says Rick Topping, vice president at Ceeva. CryptoLocker is so "dynamic," Topping remarked, it sometimes manages to evade anti-malware software. Ceeva, too, found it was necessary to go through a back-up and restoration process to regain its files, which in this case took half a day.

Leckie, puzzling over exactly what CryptoLocker infected e-mail hit his partner, says fighting off CryptoLocker was a disruptive experience. Backing up data was critical to the operation of the business, he noted, adding, it makes him glad that at his law firm, "we're still saving the paper."

Anti-malware firms asked about CryptoLocker and what they've seen of it since it was first noticed in the September timeframe say it's primarily targeting the U.S. through phishing e-mail and is likely being run as a criminal operation by a Russian-speaking cyber-gang.

CryptoLocker "mostly targets English-language-speaking people" mainly in the U.S., but also the U.K., Australia and Canada, says Jerome Segura, senior security researcher at Malwarebytes.

Because CryptoLocker uses AES 256-bit encryption to lock up victims' data, it's not possible to really manually break it, malware researchers agree. The best way to ensure that you can get your data back is to use very good back-up in a way that would avoid direct infection by CryptoLocker. "And that backup service should have backups of its backups," says Adam Wosotowsky, McAfee messaging data architect.

CryptoLocker extortionists promise to send the private encryption key for unlocking your encrypted data through its botnet-based command-and-control system if payment, typically $300, is received through Bitcoin. But sometimes the encryption key isn't delivered anyway, if only because CryptoLocker's automated system has put time limits on response from the victims.

Trend Micro has tracked that as typically being 72 hours. But that's subject to change, of course. Trend Micro's threat communications manager Christopher Budd says CryptoLocker does try all tricks possible to be evasive, so sometimes anti-malware software will detect and stop it, other times not.

Anti-malware firm Bitdefender this week said it's been tracking how CryptoLocker works through "sinkholing" its botnet command-and-control servers, determining that in just the Oct. 27 and Nov. 1 timeframe, CryptoLocker managed to hit 10,000 victims.

Razvan Stoica, communications specialist at Bitdefender, says CryptoLocker's targets appear to almost exclusively the U.S. Why here is unknown he says but perhaps, "that's where the money is." CryptoLocker's fast-shifting command-and-control infrastructure, however, lives mainly outside the U.S. in servers in Russia, Germany, Kazakhstan and the Ukraine. A number of malware researchers think that law enforcement is going to eventually catch up with the cyber-criminals operating CryptoLocker, perhaps by tracking them through the Bitcoin system.

CryptoLocker right now appears to be relying solely on sending volumes of  phishing e-mail and dangerous attachments as a way to try and trick the victim into opening an attachment and letting CryptoLocker loose in an organization. It doesn't seem to be used as a targeted attack against specific companies but is arriving in waves with the typical kind of spam deceptions, such as seeming to come from FedEx or U.P.S., according to some researchers.

CryptoLocker is hardly the first ransomware to plague computer users. Another type of ransomware, called the FBI Virus, that can hit either a Windows PC or Apple Mac to take away control from the user, was noticed having a new twist this week. According to Malwarebytes researcher Segura, the Mac OS X version of the ransomware is now demanding an additional fee above the first demand for $300. The second demand says it has your criminal records and will delete them for $450, he points out.

It's a bad idea to respond to blackmail. And it's possible to get rid of the FBI Virus, though much harder on the Windows PC than the Apple Mac, where it exists as more of a browser infection.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityanti-malwareWide Area Network

More about AppleFBIFedExIDGMalwarebytesSymantecTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place