Unpacking CryptoLocker

A Q&A with Michael Tanji of Kyrus
The introduction of CryptoLocker “ransomware” poses a new security threat to organizations—in fact, one of our customers was recently hit with this hostage-taking nuisance. To get a better sense of what CryptoLocker does and how it can be stopped before any damage is done, I spoke with Michael Tanji of Kyrus.

Can you please explain in layperson terms what this virus is and what sort of damage it can wreak on an organization?
We call CryptoLocker ransomware because when it infects a system it encrypts the files and keeps the encryption key locked away, so that the only way to get access to those files is to pay a ransom. Ransomware is not a new class of malware, but CryptoLocker is far and away the best of this class. It’s only a couple of months old and it’s already infected a wide range of organizations of various sizes—it’s pretty indiscriminate. Just who is behind CryptoLocker is not known. We do know that they are pretty sophisticated in their understanding of cryptography and they have been able to deal with a large volume of victims so that speaks to their ability to operate to scale. It may be weird to say this about a criminal endeavor, but this is really an enterprise IT operation.

What do the people perpetrating the crime, whoever they may be, stand to gain from this?
The motive is purely financial. There has to be a level of trust there, too—if they were going around and taking ransoms and not turning over the keys the whole thing would fall apart, so these are very business-oriented people. They’ve probably made millions of dollars and they’re not going to jeopardize that by being unreliable.

How does it work? How might CryptoLocker slip through traditional security defenses such as antiviral software (AV)?
There’s no actual malware or virus in the initial attachment, so it’s not something that would be detected. It’s a very simple program. Once you double click on that benign-looking attachment, usually sent to you in an email—it might appear as a zipped PDF or audio file like a voicemail coming from someone you know—and then it downloads the malware. At that point it’s already bypassed the AV and it’s encrypting files. By the time an AV company figures out the file used the perpetrators will change it, so AV will detect it after the fact—it won’t prevent it.

What can be done, then, to mitigate or prevent it?
To detect and stop CryptoLocker before it can encrypt all your files, you’d have to have a security solution such as Carbon Black in place, monitoring the system constantly for CryptoLocker-type of behavior—not the files used by CryptoLocker per se. Carbon Black is unique because it runs all the time so you could catch CryptoLocker in the act. It is equally important to ensure that your backups are working. Test them! We’ve had a number of customers who thought their backups were working only to find out once they become victims that they were wrong. Finally, train employees to be suspicious of attachments; it only takes one click to get infected, and in a large enterprise that’s sharing files and drives, that one click will enable CryptoLocker to access everything. If employees do notice errors or corruption warnings when they try to open files, they should turn their computers off to stop CryptoLocker from working on that system. At that point forensics could pull any unencrypted files from the victim’s drive.

What steps must be taken to remedy the damage?
Once it’s run, you really only have two options. If you have a backup you can restore your system from that. But if you don’t, you have to pay the ransom demanded, and you won’t get your files back unless you do. Some people have a serious ethical problem with paying for the ransom and I don’t disagree, but you have to put your morals and emotions aside in this case—if there are no backups you stand to lose the lifeblood of your business. Calling a security company to do traditional incident response will cost more than the ransom and in the end it won’t help because no amount of forensics will get the key needed to unlock your files. It’s best to think of it as a business transaction.

Assume you do pay the ransom: what’s the procedure and what’s the typical cost?
The magic of CryptoLocker is that the ransom is always more cost effective than any kind of incident response. If you pay within 72 hours, it’s usually 300 dollars, payable in Bitcoins. Beyond 72 hours the cost goes up. If you call an incident response company they should not charge you any more than a few hundred dollars to help with the transaction and decryption. The perpetrators even provide a program to decrypt the files and maintain an online forum with FAQs to help people having trouble getting their files back.

In summary…
We thank Mr. Tanji for illuminating this emerging tricky threat for the cyber liability insurance industry. We’ve already seen CryptoLocker in action on a firsthand basis with several of our clients. The unfortunate reality is that while staff education about threats (e.g., don’t click on email attachments from strangers) can help prevent some attacks, awareness campaigns are not a perfect salve and bad guys will always be able to exploit this weak spot.

Using Data Security Policy Templates to Maximum Effect

A Q&A with Ronald Raether of Faruki Ireland and Cox P.L.L.
Having written privacy and security policies and procedures in place is critical for organizations in an era when data breaches are an inevitable reality, which is why data security-focused law firm Faruki Ireland & Cox has created policy templates for clients. These templates are now available in the eRisk Hub® and I spoke to attorney Ronald Raether about how they should be used.

Why is there a need for these templates?
For almost 10 years I have assisted clients in responding to data breaches. A significant part of that response is dealing with regulators investigating any such breach, and almost every regulator I encounter begins our discussion with questions about what policies and procedures my client had in place prior to the breach. These templates come from years of such experience and provide a foundation for any company to both assess their information practices and reduce them to writing.  If you have policies in place, your conversations with regulators, the press and others starts from a more positive position.   

Why did the firm focus on these specific policies when creating the templates?
We’ve emphasized these particular policies because these are the ones that typically matter the most to regulators, and they address specific regulations like HIPAA, GLB and PCI.

How would you recommend eRisk Hub members use the templates?
A mistake organizations make is taking a template or form and simply hanging their names on it without acknowledging their own specific needs. As a consequence you might end up with a policy that’s at odds with the organization’s regular activities. In fact, disregarding the policy or acting out against it can actually increase a company’s exposure. I tell clients, “don’t put anything in writing that doesn’t comport with your company’s culture and practices.”

Do you think every company needs every policy template in the Hub?
Most organizations will need all of these policies, but there are, of course, exceptions. For instance, if the company doesn’t allow its employees to use mobile devices to access the company network—rare, but still possible—then they won’t need the bring your own device policy.

How are these policies important when an event occurs?
As with any disaster response or emergency management plan where time is at a premium and disorder could reign, having a written plan is critical. Indeed, many companies make the mistake of believing that internal sources can respond. This often has disastrous consequences. Data breaches will be chaotic enough. Save yourself time, money and stress by defining your information management program, reducing that program to sound information policies and identifying expert outside resources during a period of calm. Establishing the policies and the discipline to enforce conduct so that it’s consistent with those policies can help investigators track down answers more easily when there’s a record of who was doing what and where. Secondly, it signals to the public—regulators, pundits and privacy advocates—that you’ve met the baseline requirements for security and privacy, which can help negate any early doubts if something should happen.

What are the limitations of policies, and what else do organizations need to have in place for legal protection?
Checking off the box of “having a policy” is of limited value if employees don’t understand how to implement it. Employees in any area of the business that will have contact with sensitive information need to be trained because compliance is a cost center. You also need to conduct regular audits to verify that these rules are used in practice. Having the policy is just the beginning.

In summary…
Mr. Raether has underscored the importance of employing policies that govern data security and privacy. We might also add that having a policy in place—one that is enforced—can mitigate one’s legal liability following a data breach event. Of course, security in and of itself is never one hundred percent effective. On the other hand, having nothing in place can show a lack of care and increase exposure following a breach incident.

No more posts.