What is CryptoLocker?
CryptoLocker is a Trojan horse in terms of mechanism and a ransomware in terms of objective. Being a Trojan horse, it comes in disguised forms and once unlocked it starts searching and encrypting the files present on your local Hard Disks, shared networks or Cloud networks. This means that your computer and software keep on working, but your personal files, such as documents, spreadsheets and images, are encrypted.
Often, CryptoLocker arrives as a file with a double extension, such as .pdf.exe. Since Windows doesn’t display file extensions by default, this file may look like a PDF file rather than an executable.
Targets of CryptoLocker
CryptoLocker targets files with following extensions:
History of CryptoLocker
CryptoLocker was first discovered in the fall of 2013 and targeted computers running on Microsoft Windows. It displayed all the characteristics of a ransomware, i.e., the ability to target victims through phishing and malicious email links, encryption of user files and a notification box demanding a ransom for their return.
CryptoLocker infects like normal malware, placing its files in Windows directories, and creating registry entries that allow it to restart when you reboot. It then tries to contact its command and control (C&C) server. The malware uses a random domain name generation algorithm to try and find the current C&C server. Some sample Crytpolocker domains might look like this:
Once CryptoLocker contacts its C&C, it generates a public/private cryptographic key for your specific computer, using very strong and standard RSA and AES 2048-bit encryption. The private key is only stored on the attacker’s C&C servers, but the public key is saved in a registry entry on your computer. CryptoLocker then uses that key pair to encrypt many different types of files on your computer.
Modes of infection
Just like any other malware or Trojan attack, a CryptoLocker has common modes of infection. Some of which include:
Cyberoam Implements network based controls which can impact malware such as CryptoLocker and while the Antivirus, Anti Spam, Web Filtering are important, the IPS Engine also has the ability to block malware command & control (C&C) communications.
Following are some control mechanisms that you should follow to protect your network from malwares such as CryptoLocker in Cyberoam:
Cyberoam issues maintenance releases regularly, these should be tested and installed as required
– Secure SMTP Email Communication : You can define rules for SMTP/S scanning in Cyberoam from Antivirus > Email > SMTP/s Scanning Rules. For more details refer Secure SMTP Email Configuration.
• Web/URL Filtering
To protect your network from malwares, you should filter Web/URL content as well. For Web or URL filtering related settings, keep following points in mind:
• Application Filtering
For more information about blocking of particular application, refer Block P2P Applications. In the same way you can block other application as well.
• GEO Blocking
So to summarize, CryptoLocker is aggressively spreading, and has infected many victims. However, Cyberoam can detect and block it using various security services and control mechanisms mentioned above. CryptoLocker can also spread internally through network shares, which network security solutions can’t prevent. Ultimately, your best defence is awareness and vigilance.
Document Version: 1.0 – 30 June, 2015
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.