| 4 min read

The rise of crypto-locker malware

By  Scott La Franchie,
 29 April 2016


Information is valuable, they say. How valuable? Victims of crypto-locker attacks tend to find out in the most unpleasant way possible.

The premise of crypto-locker malware is as simple as it is devious. It sneaks onto computer systems via an email or web-delivered Trojan, then automatically encrypts and locks down the information contained on those systems.  The victim is contacted with a demand for the payment of a ransom, after which the encryption key can be downloaded to unlock the information.

If the ransom isn’t paid within a specified timeframe, the hackers threaten to permanently lock the information.

Attacks using off-the-shelf crypto-locker malware have been increasing in recent times. Social engineering schemes and targeted malware attacks are becoming more common and brazen with attackers using newer and better forms of crypto-locker malware. Cryptowall 3.0 has been globally responsible for some US$325 million in losses since its emergence in early 2015 while a new version, Cryptowall 4.0, was made available in November 2015.

Trends in late 2014, 2015 and 2016 have seen an emergence of malware targeting organisations which have valuable customer data for example banks, hospitals and police departments.

Just this February, a hospital in Los Angeles was targeted with patient data encrypted and a ransom of US$3 million demanded. A police department in Massachusetts paid a crypto-locker ransom after their case files and computer systems were encrypted.

These financial losses do not take into account the downtime and loss which accrues through not being able to conduct business.

Any organisation which has data is a potential target. Our information is valuable, regardless of the type of business we’re in.


How to spot a potential crypto-locker attack

Crypto-lockers are generally spread via email or the web, often masquerading as something else – commonly known as a Trojan. Typically, an enticing email message will arrive (subject lines may include ‘invoice attached’, ‘payment made’, or others which make the user want to open the attachment), which appear to have been sent by a legitimate organisation.

A ZIP file will be attached to the message. It contains an executable file with the filename and the icon disguised as a PDF. Open that file and a crypto-locker could install itself on your machine and spread to others on the network.


How safe are you?

If crypto-lockers can’t be installed on the target systems, they are entirely harmless. However, attackers successfully use known methods to inject and deliver their payloads:

  • Weak perimeter security that exposes known vulnerabilities

  • Insufficient or absent internal network monitoring or security. This greatly aids malware propagation, as once it is active on one computer, it can spread to all others on the network

  • Phishing and social engineering attacks to deliver payloads. People are still one of the weakest links within organisations.

The good news

The good news is that with the methods of attack known, it is possible to directly address them. Bear in mind too that the vast majority of hacks are successfully made while targeting the simple things.

By having an offsite backup solution with strong login credentials and rules for root management access means even if you are breached, your data is backed up offsite so can be simply restored.  We use a solution ourselves internally which we also sell to our customers.

Probably the greatest risk remains that of social engineering. There remains a necessity to keep your people educated and aware of the potential for compromises to occur. If you need a hand with this, Kordia can help.