Advanced Threats July 13, 2016
By Antonios Papadimitriou 2 min read

CryptoLocker attacks are on the rise, along with many other types of ransomware. While these threats can be a serious detriment to an enterprise, there are some security measures that can reduce the risk of such an attack and improve overall security posture.

Here is what to do in case of an incident, as well as how to prevent similar attacks in the future.

Important Notes About Threats

Organizations should start by adopting an aggressive patch management policy, especially with browser vulnerabilities existing in plugins such as Adobe Flash and Java, which are used by a large portion of employees. Patches should be applied in a timely basis. For example, IBM noted that the recent Adobe patches for ransomware are to be applied as soon as possible. Adobe defined this time period as within 72 hours.

Unfortunately, patching isn’t a huge help when it comes to ransomware such as CryptoLocker. When a computer becomes infected with ransomware, the malware typically generates a very small amount of external network traffic. Upon infection, most versions of ransomware utilize a domain generation algorithm (DGA) to randomize the DNS request that it makes to the command-and-control (C&C) server. This makes blacklisting the known domains much harder: The malware will use the DGA to generate thousands of randomized domain names, but only one may be a legitimate domain used to connect to the C&C server.

This initial contact with the C&C server enrolls the computer and obtains the public encryption key(s) it then uses to encrypt all the user’s files. Therefore, a memory dump or network traffic capture will do very little to help gain the necessary information to restore the files since the private key needed to decrypt the files never exists on the victim computer.

How to Prevent and Respond to CryptoLocker

The best way to fully bounce back from a ransomware attack is to never become a victim. Prevention methods include:

  • Back up your data.
  • Train customers or employees to not open phishing emails.
  • Install a security program that can detect websites where ransomware goes for encryption keys.
  • Use a good antivirus program, which will detect older versions of the virus — but bear in mind that some versions of CryptoLocker use virus detection for their own benefit by having the infected system scan until no red flags are found.

There are also some critical steps organizations should consider with respect to their readiness for a potential attack:

  1. Preparation;
  2. Detection and analysis;
  3. Containment, eradication and recovery; and
  4. Post-incident activity.

Organizations should consider using different antivirus products for different purposes. For example, one antivirus product could be used for desktop machines, a different one for servers and another for the email gateway. This strategy can provide maximum coverage for emerging threats that may not be detected by one solution but could be identified by others.

Download the complete IBM Ransomware Response Guide

 |  |  |  |  |  | 
Antonios Papadimitriou
Security Brand Specialist, IBM

More from Advanced Threats
August 2, 2022

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

January 31, 2022

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

October 20, 2021

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

October 13, 2021

Trickbot rising — Gang doubles down on infection efforts to amass network footholds

11 min read - IBM X-Force has been tracking the activity of ITG23, a prominent cybercrime gang also known as the TrickBot Gang and Wizard Spider. Researchers are seeing an aggressive expansion of the gang’s malware distribution channels, infecting enterprise users with Trickbot and BazarLoader. This move is leading to more ransomware attacks — particularly ones using the Conti ransomware. As of mid-2021, X-Force observed ITG23 partner with two additional malware distribution affiliates — Hive0106 (aka TA551) and Hive0107. These and other cybercrime vendors…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature