Businesses offer best practices for escaping CryptoLocker hell

Data backup and restoration are regarded as the only way to really make sure businesses hit with the malware get files back

It is an IT nightmare: Businesses hit with the CryptoLocker malware find their electronic files locked up inside strong encryption and the extortionist operating the malware botnet demanding money to give them the security key that would let companies get their data back.

What do you do to escape this crypto hell of ransomware? A few corporations here detail their experiences with the nasty malware and say in many cases back-up and restoration was their only way out.

[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in InfoWorld's "Fight Today's Malware" Shop Talk video and Malware Deep Dive Report. | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]

"My shop manager was trying to open a file and his computer kept coming up with an encryption error," says Chris Albrecht, officer manager at W.C. Machine & Tool, about the shock of finding out CryptoLocker had struck the metal fabrication and engineering firm he works at. "We tried other files on the network," including those in a storage server, but they, too, all appeared to be inaccessible. "It all came out of the blue."

What happened a couple of weeks ago at the Chandler, Ariz.,-based W.C. Machine & Tool is that someone there opened an e-mail with CryptoLocker in the attachment. The ransomware then aggressively spread to infect Windows-based computers and encrypt files wherever it could.

[MORE:CryptoLocker creators try to extort even more money from victims with new service]
[SECURITY NEWS:12 hot security start-ups to watch]

W.C. Machine & Tool immediately contacted its IT services provider, Mytek Network Solutions, and an account manager there, Theo Soumilas, says it was evident that tens of thousands of files were encrypted so W.C. Machine & Tool couldn't access them. At one point, there was some kind of extortion message asking for money in exchange for the encryption key, but nobody advocated going along with that.

The decision was made that it was necessary to basically "dump" the entire encrypted file contents and re-make the network file installation through back-up and restoration. W.C. Machine & Tool does daily back-up with its cloud provider, Axcient, and the restoration was completed over several hours one weekend.

Another Axcient customer, the Washington, Pa.-based law firm of Yablonski, Costello & Leckie, had a similar unsettling encounter with the CryptoLocker ransomware over the last few weeks, too.

As far as the law firm can discern, says attorney J. Scott Leckie,  it all started when another attorney for the firm was on his home computer, logged into the corporate network, and apparently opened an e-mail attachment containing CryptoLocker.

"All of a sudden his laptop went black," says Leckie. Then suddenly others at the law firm were locked out of their Windows-based computers, too. The law firm called its tech-services support firm, Ceeva, and "we said, something is wrong here, we don't know what," says Leckie.

CryptoLocker had struck once more, dodging Symantec anti-malware and spam filtering, says Rick Topping, vice president at Ceeva. CryptoLocker is so "dynamic," Topping remarked, it sometimes manages to evade anti-malware software. Ceeva, too, found it was necessary to go through a back-up and restoration process to regain its files, which in this case took half a day.

Leckie, puzzling over exactly what CryptoLocker infected e-mail hit his partner, says fighting off CryptoLocker was a disruptive experience. Backing up data was critical to the operation of the business, he noted, adding, it makes him glad that at his law firm, "we're still saving the paper."

Anti-malware firms asked about CryptoLocker and what they've seen of it since it was first noticed in the September timeframe say it's primarily targeting the U.S. through phishing e-mail and is likely being run as a criminal operation by a Russian-speaking cyber-gang.

CryptoLocker "mostly targets English-language-speaking people" mainly in the U.S., but also the U.K., Australia and Canada, says Jerome Segura, senior security researcher at Malwarebytes.

Because CryptoLocker uses AES 256-bit encryption to lock up victims' data, it's not possible to really manually break it, malware researchers agree. The best way to ensure that you can get your data back is to use very good back-up in a way that would avoid direct infection by CryptoLocker. "And that backup service should have backups of its backups," says Adam Wosotowsky, McAfee messaging data architect.

CryptoLocker extortionists promise to send the private encryption key for unlocking your encrypted data through its botnet-based command-and-control system if payment, typically $300, is received through Bitcoin. But sometimes the encryption key isn't delivered anyway, if only because CryptoLocker's automated system has put time limits on response from the victims.

Trend Micro has tracked that as typically being 72 hours. But that's subject to change, of course. Trend Micro's threat communications manager Christopher Budd says CryptoLocker does try all tricks possible to be evasive, so sometimes anti-malware software will detect and stop it, other times not.

Anti-malware firm Bitdefender this week said it's been tracking how CryptoLocker works through "sinkholing" its botnet command-and-control servers, determining that in just the Oct. 27 and Nov. 1 timeframe, CryptoLocker managed to hit 10,000 victims.

Razvan Stoica, communications specialist at Bitdefender, says CryptoLocker's targets appear to almost exclusively the U.S. Why here is unknown he says but perhaps, "that's where the money is." CryptoLocker's fast-shifting command-and-control infrastructure, however, lives mainly outside the U.S. in servers in Russia, Germany, Kazakhstan and the Ukraine. A number of malware researchers think that law enforcement is going to eventually catch up with the cyber-criminals operating CryptoLocker, perhaps by tracking them through the Bitcoin system.

CryptoLocker right now appears to be relying solely on sending volumes of  phishing e-mail and dangerous attachments as a way to try and trick the victim into opening an attachment and letting CryptoLocker loose in an organization. It doesn't seem to be used as a targeted attack against specific companies but is arriving in waves with the typical kind of spam deceptions, such as seeming to come from FedEx or U.P.S., according to some researchers.

CryptoLocker is hardly the first ransomware to plague computer users. Another type of ransomware, called the FBI Virus, that can hit either a Windows PC or Apple Mac to take away control from the user, was noticed having a new twist this week. According to Malwarebytes researcher Segura, the Mac OS X version of the ransomware is now demanding an additional fee above the first demand for $300. The second demand says it has your criminal records and will delete them for $450, he points out.

It's a bad idea to respond to blackmail. And it's possible to get rid of the FBI Virus, though much harder on the Windows PC than the Apple Mac, where it exists as more of a browser infection.  

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

This story, "Businesses offer best practices for escaping CryptoLocker hell" was originally published by Network World.

Copyright © 2013 IDG Communications, Inc.