November 2015 IT Business Consulting Newsletter

CryptoLocker: Worse than EVER

By Tom K

In July I warned you all about a particularly vicious piece of Malware running rampant in the wild. Since that alert, its only gotten worse. The trigger is being delivered in more random vehicles - as multiple types of disguised email attachments, and as numerous links in emails and on nefarious web sites.

As noted in my July newsletter, Critical Malware Alert, it is very difficult for Anti-Virus software to protect against this attack because it is not really a virus. A user opening the attachment or clicking the link INVITES an action that looks normal to the AV software, but ends up triggering a process that encrypts most of the files on the PC, and those on any server the PC is connected to. Since that July newsletter I have been brought in to restore environments at three companies that were attacked.

In this month's newsletter I reiterate educating your staff to be cautious, and I discuss actions you can take to harden your PCs and Servers to prevent the trigger from activating should the malware be invited into your environment.

Ransom Malware

If your staff invites this malware into their PC, the malware will encrypt most of the data files on that PC, including Word, Excel, PDFs, and pictures. The malware then locates any drive maps on the PC and attacks those. These are most often shared drives on servers (company, accounting, reservations, management, etc), as well as cloud-based drives (Google docs, Dropbox, etc). If the shared drive is accessible via a mapped drive, it is accessible to the attack.

Once your files are encrypted, there is no way to recover them, except by paying the ransom (sometimes works out, sometimes not) or restore from Backup. You DO have a proven Backup system in place, right?!?

In every instance that I've been brought in to, the owners decided not to pay and pray to get a valid key. We were able to remediate and restore the environments because there were good backups, but these efforts took between 12 and 20 hours.

Educate your Users

The PCs being used in your offices are for Business ONLY. If an employee's job is not social media, they should not be on social media sites. If they don't need to be on a web site for work, they shouldn't be browsing. Their work email is dangerous enough. Don't allow them to access their personal email while on your PCs. I covered this in my Employee IT Use & Abuse Policy article. If you've not read it, you should.

Email attachments are the most prevalent threat vector. Train your staff to be wary of ANY attachment. If they get an attachment from someone they don't know, don't open it. If it is from someone they know but is not expected, don't open it. Even if it looks like a simple PDF, it could easily be a disguised trigger that could cripple your company.

The next most prevalent threat vector is a link in an email, and links on those "questionable" web sites. If staff are not expecting a link, don't click on it. If they are on a questionable web site while using one of your business PC's they should be disciplined (assuming you have a Use and Abuse Policy in place).

In every instance where I recovered a company from CryptoLocker, I was able to identify the "Ground Zero" PC, and in most I was able to identify the trigger vehicle. At the least, it was rather embarrassing to be the employee that crippled the company. At worst...

Teaching your users to be aware of the dangers presented in email attachments and links is most critical. My July newsletter touches on a number of other items you may want to review with your staff, most of which were discussed in detail in my Protect Your Company From Your Staff newsletter. If you haven't read it, I strongly suggest you do.

Protecting Your Environment

Since the malware jumps from the affected PC to your servers via mapped drives, the first thing to do is limit access to the shared directories on your server to only those who need to access them. If Bob is a reservationist, and only has access to the general Company drive and the Reservations drive, if his PC becomes compromised the Reservations and Company drives will be the only drives affected. If Bob was given access to ALL the shared drives (just because it is easiest), then all those drives (Sales, Accounting, Maintenance, Marketing, etc.) could be encrypted. Your liability just increased ten-fold. I discuss the concept of file access based on need in my Simplify Data Organization and User Management newsletter.

I mentioned that Anti-Virus software has difficulty preventing the CryptoLocker triggers because the triggers are invited actions that appear to be a normally functioning application. BUT... all the current variants of CryptoLocker drop the triggers into the same groups of areas within the PC's directory structure. These areas are not typically used to store files that can execute an action, so if we prevent the PC from launching applications (the triggers) from these known locations, the triggers can't run.

If we know where the triggers are being dropped, we can use a built-in Windows tool called Software Restriction Policies (SRP) to prevent executables from launching from within those locations. To date, this appears to be the best way to protect your environment from CryptoLocker.

You'll need to configure the SRP on every PC/Laptop/Server in your environment. If you have a server and run a Windows Active Directory network environment, you can use Group Policy to configure the policy on your server and push it down to all of your PCs. This is not only a huge time-saver, but it also ensures you've protected all of your devices. I discuss using Group Policy in Use Group Policy to Centrally Tune YOUR Business Computing Environment.

If you don't use a server with Active Directory, you'll need to configure the SRP in each PC's Local Security Policy. You can do this manually at each PC (about 5 minutes each). There are also tools available that can automate the process of configuring the SRP on each PC.

A Solid Backup Solution

When all else fails (and having been doing this for 30 years, it always does fail sometime, somewhere), you've GOT to have a solid backup solution in place. No matter where your data lives, or how many diverse locations it lives in, be sure it is being backed up. I discuss the concepts in Backup the Company Jewels!

Protecting Your Home PCs

Your home PC could be more vulnerable than your business PCs, as your business PCs should be under the care and protection of a professional. Make sure your home PC has commercial grade Anti-Virus, your email has Spam protection, and your system and application patches are updated automatically. Heed the warnings presented above concerning email attachments and links. And enlist the help of your IT staff to set up an SRP on your home PC.

You should also consider backing up your home PC regularly, using a method that does not utilize a mapped storage device. If you have a cloud system that you access via a map, or an always connected USB drive, these will get encrypted if your PC is hit by CryptoLocker. Consider a cloud BU service that is controlled via an application rather than a map, and a thumb drive that you use to manually backup and then disconnect from the PC.


If you are not 100% sure your company has all the processes in place to protect your Company from CryptoLocker, as well as those necessary to recover from an attack, PLEASE call me to discuss having them properly deployed. Missing any one of these could wreak havoc on your company. I've seen it happen, and it costs much, much more to remediate the damage than it does to build out proper protections.

If you have any questions or comments concerning this article, or would like assistance developing solutions and processes to protect your Company, I’d be happy to discuss this with you at your convenience. Feel free to contact me at, or via my cell 443.310.5110.

My December newsletter will be the ever-popular End of Year Security Summary... my annual need-to-read security refresher, updated for 2015.

In January's "Business Relations Risk Assessments", I'll discuss evaluating the operational and financial health of your important Business Partners, and the impact a breakdown in their services or their overall demise could have on your operations.