How to prevent Cryptolocker

Cryptolocker is the name of computer malware that was first identified in 2013. It infects computer systems and encrypts files... Here's how to stop it.

Cryptolocker is the name of computer malware that was first identified in 2013. It infects computer systems and encrypts files, making them inaccessible to the user without paying for the digital "key" to get them back.  

On an individual's computer, this malware is terrible enough. Still, when it attacks and spreads among large corporations, the cost and damage is immense. Some basic and more technical steps can be taken to protect computers from this type of threat.

Cryptolocker and other types of ransomware spread in similar ways. Thus, there are some basic steps that users can take to make it less likely that this malware could impact their computers.  

  1. Be vigilant and do not open suspicious emails and attachments.  This behavior is the leading way that ransomware spreads, often though Office macros, that can trick you into compromising yourself.  Never, ever, open emails or attachments if they come from someone you don't know. Even then, don't open files sent to you from people you DO know if you weren't expecting to receive it.  Take the time to call the person who sent it and confirm.  Even if it's legitimate - the time is worth it.
  2. Don't click on unknown links, especially those sent via email.  Often, these links can take a user to suspicious websites that can prompt them to download a file or request the user input sensitive credentials like an email username and password.  
  3. Run Windows updates.  Often, malware and other viruses use exploits to harm users' computers.  Installing patches can prevent these security holes.
  4. Only install software from reputable sources. It's easy for users to go to a search engine and type in "free fonts" - there will be tons of results.  However, many of those are very questionable and may download software in addition to the product you're wanting.  If those also install some malicious software alongside the product you requested, it can be very harmful. 
  5. Install and scan your computer for threats.  Using a free antimalware product to scan your computer can help detect and remove malicious software. Still, it's better to have active protection like QuickWatch installed so that threats are blocked before they can harm your PC.
  6. Make frequent backups of your computer, ideally to an external drive that's not always connected. That way, malware cannot hurt it.  If you're infected later on, at least you still have a way to recover your files.

In larger networks, there are more technical steps that can be taken to prevent the impact and spread of Cryptolocker and similar malware.

  1. Reduce administrative account use.  This advice is often ignored, but the fewer users that use admin accounts, especially domain admin accounts, the better.  If malware infects a machine and manages to act as an administrative account, especially an admin account that can access other computers and servers, the entire network can be compromised.  
  2. Use two-factor where possible.  This helps reduce sensitive accounts from being used by malware.  Some ransomware, like Ryuk, uses RDP (remote desktop) to jump from system to system.  Using third-party software to include two-factor authentication to RDP will help prevent this attack vector and significantly increase the security of your operations. 
  3. Reduce the use of network shares to those that need them.  Ransomware that encrypts a single computer is terrible - but if it can get to critical network shares, the business impact can be immense.  Consider reducing access to shares to those users that must have them, and remove all other users.  For example, pick a random employee at work, then look at their network shares - then pretend that ransomware encrypted them.  Consider what the business impact would be if these shares were locked away for 48 hours, or a month, or were unrecoverable. 
  4. Secure company backups off-network so that even if the entire business was to be infected, critical systems could be brought back online as soon as possible. Merely backing up key file shares and servers to a local network location is not enough as ransomware like Ryuk can definitely find these backups on the network and encrypt them as well.  If backups have to be stored on the local network, segment them in such a way that they can be reached by as few devices as possible. Ideally, save a copy of the backups off-site and wholly detached from the company network.  Alternatively, a cloud backup solution would also work, similar to using cloud file storage. 
  5. Consider the use of cloud file storage like Google Drive or OneDrive.  Typically, these services have versioning that prevents files from being irretrievably lost (even if the ransomware encrypts and syncs files to the cloud). 
  6. Update all computers in the business, and use processes and software to ensure compliance.  Having QuickWatch installed on endpoints can ensure Windows is always patched and up to date. As important as having installed software patched is, know that as software ages, it needs to be reviewed. Identify and remove software that has reached "end of life," as it will no longer receive updates.so that a product doesn't go "end of life" and stop getting these critical security updates.  For example, QuickTime for Windows is no longer getting software updates and should be considered dangerous to have installed. 
  7. Purchase business insurance that includes protection for ransomware AND the ransom payment.  The ransom payment can be extensive, but even if the insurance covers the amount, most companies will still need comprehensive additional help to get their critical services and staff up and running. This type of immediate assistance can be very costly. It's much better to pay for the insurance ahead and time and know that you're covered. The alternative would be having to make the hard decision getting your critical business data back... Or having to close the company if business services can't be restarted. Most commercial property policies do not cover this type of claim. Also, when looking into a cyber liability policy, confirm if they pay these ransom and repair costs upfront, or only reimburse the cost.  If they only do reimbursement, make sure your company has a plan to spend this upfront and that all key company staff is on board with the plan before it happens.
  8. Make changes to your company setup, then do actual tests based on a real user.  Pretend that the user is compromised and evaluate the impact on the business and what files could be lost.  This type of real-world scenario could help bring to light the next steps where additional resources could be further reduced to prevent them from being impacted.  
  9. If your company is currently using an antimalware product, reach out to their technical staff. Request that they provide proof that their product will stop ransomware like Cryptolocker and Ryuk.  See if they will discuss how often their product actively blocks these threats, and how they are protecting against new variants.  If the provider can't quickly answer these questions, consider another product or vendor.  

To summarize, Cryptolocker and other ransomware are serious, very impactful threats. Home users (and especially businesses) must train their users not to open suspicious files, run protection software, and have secure backups.  When training users to be careful with what they do online, it's also important to have a plan in place "just in case".

Make sure that businesses are covered financially if this very impactful attack were to happen.  In many ways, ransomware should be treated just like a fire or flood - it's unlikely that it would ever occur, but if it did there needs to be sound plans in place and procedures to ensure that whatever loss would occur is covered.  

Check out our services: