Although the Heartbleed bug has saturated news coverage in recent days—and an array of other threats have hit large and small enterprises in the past few months—a new and very dangerous form of malware has appeared: CryptoDefense.
A Symantec blog provides an overview of the ransomware and the potential nightmare it presents for businesses. Symantec describes it as “a sophisticated hybrid design incorporating a number of effective techniques previously used by other ransomcrypt malware authors to extort money from victims.”
Like its better-known malware cousin CryptoLocker, CryptoDefense targets text, pictures, video, PDFs and Microsoft Office files, and then it encrypts them with a strong RSA-2048 key, while also wiping out the shadow copies used by many backup programs. That makes it difficult to salvage affected files.
Before the program will return the “kidnapped” files, it requests a payment of $500 in bitcoins via an exclusive Tor-hosted Website that the criminals hide behind. After four days, the payment jumps to $1,000. After a month, the private key is deleted, and the files become unrecoverable.
CryptoDefense demonstrates a growing level of sophistication among organized crime syndicates operating on the Internet. “There are now competing cyber-gangs using ransomware tactics to extort money from companies,” reports Stu Sjouwerman, CEO and founder of KnowBe4, which provides Web-based security awareness training.
“Among those reportedly affected is the Boston Police Department. This makes it exceptionally difficult for businesses that do not take adequate steps to protect and back up their data,”
The stakes are growing. Last year, CryptoLocker infected an estimated 250,000-plus Windows computers, including systems running Windows Vista, Windows XP, 7, 8 and Professional. There’s also a third known form of ransomware: Cryptorbit. All rely on a similar shakedown method. According to Symantec, CryptoDefense netted perpetrators somewhere in the neighborhood of $34,000 during February, the first month the malware appeared.
How can organizations affected by the malware get around paying the ransom? The creators of the malware leave the decryption key on a user’s computer, so it’s possible to circumvent the ransomware using specialized tools and techniques to get back affected files. For example, security firm MalwareExperts, which describes the risk of CryptoDefense as moderate, offers detailed tools and instructions for removal at its Website.
In addition, IT executives—particularly those at small and midsize businesses—should introduce automated backups and make sure all data can be restored.
KnowBe4’s Sjouwerman says that user training is another key component. He points out that it’s critical to educate employees, including senior-level executives, about the ongoing threat of clicking on a bad link. It’s also wise to complement the training with simulated phishing attacks on a regular basis. KnowBe4’s research—it examined 372 companies over a 12-month span— indicates that about 16 percent of all phishing attempts succeed.
Finally, security experts say that it may be wise to block all incoming .zip files at the firewall or mail server and ensure that up-to-date endpoint encryption is in place.
“We are now in Generation 5 of cyber-crime, which means there’s a strong underground economy where stolen goods and illegal services are bought and sold in a ‘professional’ manner,” concludes Sjouwerman. “Ransomware will be one of the tricks of the trade, and it will spread rapidly due to the existence of a well-developed criminal underground economy and supply chain.”
