Recent publicity seems to have woken people up to the dangers of Cryptolocker

I’m still seeing lots of references to the security measures we should take to protect ourselves against Cryptolocker and a lot of my computer support clients are also asking for my advice as to whether they are adequately protected. If you don’t know what I’m referring to, have a look at these two blogs:

GameOver Zeus and Cryptolocker
Cryptolocker

The main area of inadequate protection that I am finding amongst my computer support clients is the lack of an “offline” backup.

What is an offline backup? We refer to stuff being “online” if it is connected to your main system – ie directly connected to your laptop or desktop computer or connected to your local network via your router. Stuff that is “offline” is likely to be either:

  • A USB thumb drive (also known as a “memory stick” but that is actually a proprietory name of a Sony device) that is not plugged into your computer at the moment
  • A DVD or CD
  • An external hard drive that is not connected to your computer at the moment
  • In “the cloud” (eg on Skydrive, or iCloud).

CryptoLocker WindowThe point here is that Cryptolocker is capable of detecting drives that are currently connected (“online”), so this would include a currently connected USB drive or external hard disc. Your backup needs to be detached from your computer at the time of an attack by Cryptolocker to ensure that it remains safe (ie it must be “offline”). The only exception that I can think of is that anything you have burned to a CD or DVD is safe even if the disc is in the CD/DVD drive, provided that the media is of the “read” type rather than “read/write”. This is because, by definition, data can only be burned once onto a DVDR or CDR disc, so Cryptolocker won’t be able to replace your data with an encrypted version.

Backups that are “in the cloud” are probably not directly accessible by Cryptolocker.
I am not certain about this, but I can’t find any reference to cloud backups being vulnerable by virtue of them being “online”. However, there is a very big “but” here in that if your backups to the cloud are managed by a programmed schedule (as opposed to backups only being created manually on an ad hoc basis) then your backups could be at risk as a result of the schedule deleting your previously good backup and replacing it with files that have been encrypted by Cryptolocker.

Lifebelt in the SkyOne way to get over the problem of cloud backups being overwritten with encrypted files would be to establish another cloud account and then to periodically copy the backup data from the first cloud account to the second cloud account. If this backup is not created by a schedule then files encrypted by Cryptolocker will not over-write a good backup with an encrypted one.

Another step that can be taken to add a layer of security to your backups is to take a backup onto an external drive (hard drive, USB “memory stick”, or even CD or DVD) and then ask someone to keep this safe for you in their premises rather than your own. I advise doing this. It has always been a good practice, but, in reality, I’ve only ever been able to persuade a very few of my computer support clients that it is a practice worth adopting. This “off-premises” backup becomes, in effect, an “archive”. An archive is a backup that is not over-written with a later backup. So, for instance, you may archive your annual accounts. This means that whatever happens in the future you should always be able to access that particular year’s accounts because the backup never gets overwritten with a later one.

Locked Laptop

How safe is your data?

These “archives” don’t get updated (that’s what distinguishes them from backups), so they probably won’t include the very latest data if you suffer an attack from Cryptolocker. Nevertheless, they do provide you with a “worst case scenario” of the very least that you can expect to be able to recover if you should have a disaster such as a Cryptolocker attack. The other main reason for taking an “offsite backup” is that it also provides a layer of security against something disastrous happening to the location of your main system and backups – eg fire, theft, or flood.

However many levels of backup you introduce, you will only be absolutely sure that a usable backup exists if it’s there and it works when you need it. I’m afraid there are no absolute guarantees in this area. I think it’s one of those areas of computing where you have to make up your own mind how much time and effort you put into safeguarding your data. My own impression, though, is that – on average – my computer support clients probably do not pay enough attention to creating adequate backups and I suspect that it would be quite reasonable to extrapolate from that to say that most people, generally, are probably more vulnerable to losing data to the likes of Cryptolocker than they would like to be. As they say up North – think on!

Is the NCA trying to panic us into action?

Trojan horse

GameOver Zeus is actually a “Trojan Horse” – malware that tricks you into installing it. It then attacks your system from the inside

Last week the National Crime Agency (NCA) claimed a huge victory over cyber criminals after they had managed to take control of a massive network of “bots”. Bots are anyone’s computers that have been infected with malware that allows the criminals to use them to further their aims. It appears that the main purposes of this bot ring were to attack people’s computers to steal financial information (using, for example, The GameOver Zeus virus) and/or to infect the computer with Cryptolocker. This encrypts the contents of the hard drive and a ransom is then demanded for the decryption. I wrote about Cryptolocker on 02/11/2013.

You can read the news item in several places, including here:

Mail Online
Express
ITV News
Guardian

My points are twofold:

FBI Wanted Poster

The FBI would like a word with this gent about GameOver Zeus and Cryptolocker

1) It appears to me that this story is being spun so that a success story about putting criminals out of action (even only temporarily) is being turned around so as to frighten everyone by saying, in effect, “they’ll be back in action in a couple of weeks. You’ve got just two weeks to make your computer safe before something terrible happens”. In fact, nothing bad has just happened and nothing bad will happen in two weeks that wouldn’t have happened anyway. Instead of crowing about their recent success, the powers that be have chosen instead to grab the publicity opportunity to frighten us about what may happen if we don’t pull our socks up, security-wise.

2) The steps that we are recommended to take are just the sensible, manageable, precautions that I have always recommended. That’s not to say that I’m such a clever clogs. It just means that we are not expected to perform Herculean tasks to keep the criminals out of our systems. We just need to be sensible and take our computer security seriously.

These are the steps that we should incorporate into our daily computing lives:

  • Always have antivirus software installed, running, and updated (unless you use a Mac)
  • Always install the latest operating system security updates. With modern versions of Windows these are completely automatic if your Windows is set up correctly.
  • Install any updates that are offered by Adobe Reader or Adobe FlashPlayer.
  • If you have Java installed, then always install any offered updates (but Java is falling out of favour as it is considered too much of a security risk. I’ve just un-installed it from my laptop and will see if that causes any problems in using any websites)
  • Take regular backups of any data that you wouldn’t want to lose (including photos, home movies, and emails if they are stored on your computer)
  • Do not open email attachments from people that you do not know or trust
  • Do not download anything from any website if you are at all suspicious
  • Do not download anything that seems to be too good to be true. If it seems too good to be true then it probably is too good to be true
  • Do not believe anyone phoning you up and claiming to be from Microsoft or any other organisation if they tell you that you have a virus and they’d like to help you remove it
  • Be very careful downloading any free software. Do you really want it? Do you really trust it? Moreover, take care when installing any free software. Never accept the “default” installation. Always choose the “custom” installation as this will probably give you a chance to reject other, unwanted, items that would otherwise be installed.
  • Do not – ever – use the same password for more than one account. Really. I mean it.
  • All passwords should be eight characters long (at the very least) and consist of at least two of the following four types of characters – uppercase letters, lowercase letters, numbers, symbols.

Another cartoon robber stealing away from laptopIf you can go through that list and tick every item then you are taking reasonable steps to safeguard your computer. I can’t guarantee that you won’t be attacked by something online, but it’s a bit like driving a car. You may be the best driver in the world and still be involved in an accident. Nevertheless, you’re certainly going to be a lot safer than someone who has never even learned any roadsense.

And you Mac owners shouldn’t be complacent, either. A lot of the traps that Windows users fall into are just as easy for Mac owners to fall into. Just because Macs don’t normally get viruses that doesn’t make it safe for you to re-use passwords, or open dodgy emails. A Mac owner can fall for a phishing scam just as easily as a Windows PC owner. And if Apple offer you system updates, then take them.

The next time that an IT horror story breaks through into mainstream consciousness, it could well be caused by CryptoLocker

What is CryptoLocker?

It’s a horrible piece of malware that encrypts the most common types of data files on your computer (especially Microsoft data files such as Word documents and Excel spreadsheets). Once attacked, you can not get access to those files unless you pay the perpetrators to decrypt them. Strangely, it appears that paying the ransom does actually get you the “key” to unlock your files again. Maybe the “perps” are very clever and have realised that if they get a reputation for “honouring their promise” (huh?), then sufferers will be more likely to take a risk and pay.

At this point, Mac users are permitted a smirk – CryptoLocker only attackes Windows computers.

How do you get it?

It’s usually downloaded as an email attachment when the user is duped into accepting something that looks like a pdf file, but isn’t. I received a similar thing just a few days ago (although it displayed as a zip file in this instance). Take a look at Figure 1. It appears to be from Amazon and it would be very easy indeed to apply 20% of my attention to it and just open the attachment. I don’t know if this one contains CryptoLocker, but I do know that this message is fake. Look at the “sent” address. Since when did Amazon send emails out in the name of “crescenzireider@yahoo”?

Fake email message, purportedly from Amazon

Figure 1. Fake email message that may contain CryptoLocker or other malware


Also, this just isn’t how Amazon send despatch notices etc. and, anyway, I have a system (of sorts!) for tracking Amazon orders and know I’ve got nothing outstanding. So, I haven’t opened the attachment and this has kept me safe from any “payload” it may have (and don’t worry – you can’t catch anything from Figure 1: it’s just a harmless image file by the time you see it).

Other common ways of getting you to open an infected file include faking the attachment as a FedEx or UPS delivery note, or faking a document from your bank.

Once you’ve been infected, you will be presented with a demand for money (typically $100 or $300) and a short time (4 days) to pay up. If you don’t pay in that time then your files go to data heaven. The bad guys “forget” the key that will unlock them and that’s that. Moreover, if your regular backups are made on other hard drives on your own computer then those backups are also at risk. Apparently, the malware isn’t yet configured to look in networked drives, but that’s got to be just a matter of time.

CryptoLocker Window

Figure 2. If you see this window, you’ve got problems

How do you stop it?

If you are working in a large or medium organisation (with IT staff) then Windows can be configured to stop you opening all kinds of attachments that are “executables”. This is probably neither possible nor practical for the average home user. To begin with, you need to have Windows 7 Professional, Ultimate, or Enterprise (ie not Windows 7 Home). If you have Windows 8, it needs to be either the Pro or Enterprise version. If you are using Vista you are unlucky, and if you are still using Windows XP then here’s yet another reason to move on – Microsoft support for Windows XP is ending. There is, anyway, a danger of throwing the baby out with the bathwater. Putting restrictions in place to stop you opening a fake file would probably also stop you opening genuine ones – very annoying.

Another thing you can do is to change the view of your files in Windows Explorer so that file extensions are always displayed. This may alert you to the fact that a file that appears to be called “readme.pdf” is actually “readme.pdf.exe”

Why doesn’t antivirus software stop it?

I don’t know. I’ve been to a number of websites to help me prepare this blog and none of them are specific on this point. They just say things like “(antivirus programs) have a particularly difficult time stopping this infection” and “Security software might not detect CryptoLocker, or detect it only after encryption is underway or complete“.

Removal

I understand that removal of the software is just a case of uninstalling it in the usual Windows way – ie go to “Programs and Features” in the Control Panel. That doesn’t decrypt your data, of course.

So, where does that leave us?

  1. We have to be even more vigilant than ever in opening email attachments. Don’t open any email attachment until you’ve looked at the email and made a definite decision that you trust the sender. For goodness sake, don’t think, “I’ll open it and just delete it if it’s crap” (which is how, I suspect, a lot of people filter their email). If it’s got CryptoLocker in it then it will be too late by the time you realise what’s happening.
  2. We have to review our data backup situation. Are you one of the millions who “haven’t got round to” creating backups? If so, do you really want to find out the hard way why they are so important? And if you do take backups, but these are just file copies on your hard drive or permanently attached drives, then my advice is to take an “offline” backup asap (eg to a USB drive or DVDs).

Cartoon robber stealing away from laptopSorry for delivering yet another warning of the dangers of the internet. I really don’t want to put anyone off using it, but we need to pay close attention to what we are doing. Think in terms of being “streetwise” about the internet (“cyberwise”?) You wouldn’t park your bicycle, unlocked, on Oxford Street and expect it to be there when you got back, would you? If you apply the same common sense online then I think the chances of being caught out will be greatly reduced.

© 2011-2019 David Leonard
Computer Support in London
Privacy Policy Suffusion theme by Sayontan Sinha