Light Dark
July 13, 2016 By Antonios Papadimitriou 2 min read
Advanced Threats
Fraud Protection
Malware

CryptoLocker attacks are on the rise, along with many other types of ransomware. While these threats can be a serious detriment to an enterprise, there are some security measures that can reduce the risk of such an attack and improve overall security posture.

Here is what to do in case of an incident, as well as how to prevent similar attacks in the future.

Important Notes About Threats

Organizations should start by adopting an aggressive patch management policy, especially with browser vulnerabilities existing in plugins such as Adobe Flash and Java, which are used by a large portion of employees. Patches should be applied in a timely basis. For example, IBM noted that the recent Adobe patches for ransomware are to be applied as soon as possible. Adobe defined this time period as within 72 hours.

Unfortunately, patching isn’t a huge help when it comes to ransomware such as CryptoLocker. When a computer becomes infected with ransomware, the malware typically generates a very small amount of external network traffic. Upon infection, most versions of ransomware utilize a domain generation algorithm (DGA) to randomize the DNS request that it makes to the command-and-control (C&C) server. This makes blacklisting the known domains much harder: The malware will use the DGA to generate thousands of randomized domain names, but only one may be a legitimate domain used to connect to the C&C server.

This initial contact with the C&C server enrolls the computer and obtains the public encryption key(s) it then uses to encrypt all the user’s files. Therefore, a memory dump or network traffic capture will do very little to help gain the necessary information to restore the files since the private key needed to decrypt the files never exists on the victim computer.

How to Prevent and Respond to CryptoLocker

The best way to fully bounce back from a ransomware attack is to never become a victim. Prevention methods include:

  • Back up your data.
  • Train customers or employees to not open phishing emails.
  • Install a security program that can detect websites where ransomware goes for encryption keys.
  • Use a good antivirus program, which will detect older versions of the virus — but bear in mind that some versions of CryptoLocker use virus detection for their own benefit by having the infected system scan until no red flags are found.

There are also some critical steps organizations should consider with respect to their readiness for a potential attack:

  1. Preparation;
  2. Detection and analysis;
  3. Containment, eradication and recovery; and
  4. Post-incident activity.

Organizations should consider using different antivirus products for different purposes. For example, one antivirus product could be used for desktop machines, a different one for servers and another for the email gateway. This strategy can provide maximum coverage for emerging threats that may not be detected by one solution but could be identified by others.

Download the complete IBM Ransomware Response Guide

 |  |  |  |  |  | 
Antonios Papadimitriou
Security Brand Specialist, IBM

More from Advanced Threats
May 24, 2024

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

May 16, 2024

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature