It is truly a rare occasion when you are in a customer meeting talking about an attack less than a week old and you see the customer jump out of his chair to acknowledge that his company experienced it. Even rarer is getting into the initial conversation and leaving with a purchase order. But that’s what being at right place at the right time is all about.
The way it works is:
- You get the malware on your system.
- It calls back to a criminal server that generates a key that is kept on the server.
- The malware encrypts all the data on your hard disk (and all the network shares it connects to) using that key.
- Then the nasty message shown above pops up a demanding payment if you’d like to see your data again.
Oh, and by the way, they will not wait forever before they delete your key from their servers (probably because they need to keep moving servers). Check out the time counter they put there.
As this Ars Technica article explains, it prices your data at $300 (or €300, so it’s better to pay in USD :-). If you are infected, there are a number of ways you can pay them and get them to give you a key.
The Cryptolocker writers appear to be pretty ethical, as vicious criminals go—if you pay them they do give you the removal key—but clearly no one wants to pay $300, and of course there’s absolutely no guarantee that you won’t get re-infected some time later.
Cryptolocker is far worse in a corporate environment because if an infected computer has open connections to other LAN-connected files systems, such as shared drives on a file‐server, then these may also be encrypted.
Even worse, some organizations use a file‐server drive as a shared backup drive for multiple users, meaning that all online backup files could be encrypted too.
The customer we talked to said that at the end of the day, humans are the weakest link. And things like this happen.
Is there any good news in this? Yes. DNS Firewall stops the Cryptolocker malware from communicating with its controllers—and therefore stops it from actually encrypting your data. Infoblox alerts and log-analysis tools tell you which systems tried to contact those servers, and therefore are infected. This allows network and systems administrators to quarantine and clean up infected devices before they can cause data loss.
Implementing Infoblox DNS firewall is the simplest and most effective way to identify any systems in your network infected with Cryptolocker, before they actually encrypt your data.
So instead of, “Your money or your data,” it’s “Sorry, Charlie,” to the Crytptolocker crooks.