Antimalware vendors are working to fight a new ransomware strain that encrypts victims’ files and holds them hostage for $300. The malware’s sophistication and primary target – businesses – demonstrates the value of using cloud backup to keep an alternative version of corporate files at the ready in case of attack.
Researchers with Emisoft Anti-Malware offered an in-depth breakdown of the new variant of Cryptolocker – also known as Trojan:Win32/Crilock.A. - in a recent blog post. Judging by the file types sought during the encryption process – database files and formats used in the Microsoft Office suite – Emisoft believes attackers are primarily targeting businesses rather than consumers.
The vendor says victims are typically presented with a dialog box that explains their important files have been encrypted. The message threatens to destroy the private key that can unlock those files unless the victim pays $300. Trying to remove the virus results in the key’s immediate destruction, the message claims.
Geek.com says a previous Cryptolocker variant was reported back in January, at the time demanding $100. Some victims have actually paid the ransom and found that their files were decrypted as promised, though the blog cautions that the risk of reinfection is present even if businesses cough up $300.
What makes Cryptolocker so hard to crack?
Cryptolocker finds its way onto computers through simple social engineering – users are sent an email about customer complaints with an attachment that actually includes the malware downloader.
Once installed, the malware establishes a connection with a command and control server, using clever workarounds to avoid attempts to stop this connection. It then communicates to the server using a secure RSA public key, allowing it to mask data and thwart malware hunters.
It will then encrypt the user’s files with a 256-bit AES private key, and wrap that up with a second RSA public key. All those layers of encryption make it impossible to restore access to the files without the private key, which is only available to the attackers.
How can cloud backup help businesses recover from Cryptolocker?
Some antimalware software can detect Cryptolocker prior to installation, but once the malware has infiltrated a computer, there is no way to restore access to those encrypted files. At that point, the best option for IT administrators and managed services providers would be to reformat the computer and restore files from a previously saved backup set.
This solution speaks to the value of automated cloud backup that saves the most recent version of files to a secure off-site location. MSPs that offer a combination of antimalware services and cloud backup are best suited to help their SMB customers infected with Cryptolocker.
Intronis partners benefit from being able to store unlimited versions of a file securely without using a ton of resources. And military-grade encryption keeps files stored in our dual-coast redundant data centers safe.