In the last 18 months or so, ransomware has been on the rise, and it has matured from annoying-but-fixable to no-one-can-fix-this levels. You should be very afraid of ransomware.
Ransomware is a form of malware (malicious software) where, typically, an external party does something to your computing device so that you can’t use it or you can’t access your files and you have to pay a ransom to regain access. Ransomware has been around for years, but there usually was a flaw in it so that experts could work around it. Or the person(s) responsible for spreading it made mistakes in how they set up their servers, which would then be shut down, or they could be traced when victims sent them money.
Enter CryptoLocker. CryptoLocker gets onto a user’s machine, typically through a phishing attack or bot net. It then establishes a connection with one of its servers and generates an asymmetric encryption key pair that is unique for each computer it attacks. If you’re not familiar with asymmetric encryption (also called public key cryptography), it’s an encryption scheme using two keys: one is called the public key and one is called the private key. Once files are encrypted using the public key, they can only be decrypted using the private key. (They can’t even be decrypted with the public key.) This is great when you’re communicating financial information with your bank, but not so great when CryptoLocker uses it to encrypt files on your computer. Once it’s done, it deletes the public key on the computer. The private key never leaves their servers, so there’s no opportunity to grab it during the attack.
CryptoLocker searches the computer with a list of file types it wants to encrypt. These are the typical user-generated files like spreadsheets, documents, photos, design files, etc. It’s not interested in harming the operating system. It just wants to encrypt files and hold them hostage. It searches by file extension and encrypts anything that matches the target list of file extensions.
CryptoLocker then starts a countdown clock giving the victim 72 hours to pay $300 for the private key to decrypt the files. If the fee isn’t paid in time, the server purportedly destroys the private key, and that means the files can never be recovered. (The key appears to live on for a little while. If the 72 hour window passes and then the victim regrets not paying the ransom, they apparently will offer to find the key, for about $2000. The victim has to send them one of the encrypted files, and it is surmised that they test it against their databases of private keys to find the one that works. They claim it takes 24 hours to find the key. If the victim is running a business, losing access to your files for this long could kill it.)
The victim can’t walk the computer to the nearest computer repair shop, or call a support line, and ask them to help. This is 2048-bit encryption using the RSA algorithm, which means no one can crack it. (Contrary to popular belief, tech people are not magicians. Using standard desktop computing power, it would take a little over 6.4 quadrillion years to break a 2048-bit key.)
But it gets worse. Any sort of hot backup in use can also be encrypted. What does that mean? Say you use a service like Dropbox to backup files on your home computer to the cloud, possibly syncing your files to other devices. When you install Dropbox on your computer, it acts like an added folder; you can see it in Windows Explorer. CryptoLocker can see that drive too and encrypt those files, which will then be synced to the cloud in their encrypted state, and then the encrypted copy will be synced to your other devices. Some of these cloud storage and file syncing services have file versioning, where previous versions of files are stored for a time, so you could roll back to a previous unencrypted version of the files. But would you really want to roll back each file individually? (At this time, I don’t think most of these services offer any sort of ‘bulk rollback’ option for files. If they do, I’d love to hear about it in the comments.)
On top of that, CryptoLocker can get to network drives, external hard drives, or USB drives, or any sort of attached storage – any files that can be viewed in Windows Explorer can be accessed by CryptoLocker. There are reports of shared network drives with tens of thousands of files being encrypted in this way.
There really is no way to protect yourself from CryptoLocker. The only solution is to have a cold backup of your files so that you can just wipe your hard drive, reinstall your operating system, and load the backed up copies of your files.
A cold backup – also called an offline backup - is one that is set up in such a way that the contents cannot be accessed from Windows Explorer. This could be files saved on discs (yes, discs) or files backed up to an external hard drive that is usually kept disconnected from the computer, or backup systems that do not act as a folder that can be viewed in Windows Explorer. For example, several backup systems on the market operate as a program running in the background, but they do not do a file mapping – that is, creating a folder that can be viewed in Windows Explorer – in the computer. Even these can be dangerous, however, because if they are running continuously and the victim’s files are encrypted by CryptoLocker, that backup service will merrily travel through the victim’s files and back up the encrypted versions. Again, most of these services offer file versioning so the victim can roll back to a previous version, but it’s not clear if bulk rollback is an option. To keep network drives safe, file permissions should be set so that the files are only readable, not writeable.
There are anti-virus/anti-malware companies out there that advertise that they have tools for helping you clean up your computer so that you can remove CryptoLocker and restore your files from your cold backup. (Anyone advertising that they can help you decrypt your files is selling snake oil.) Using such tools is not recommended. Whenever a computer is infected with a virus or malware, the only sensible way to handle the situation is to wipe the hard drive completely and reinstall the operating system and restore the files from a backup. One of the trickier aspects of CryptoLocker is that it spawns two processes of itself, so even if one of them is killed, the other one is waiting on the sidelines, ready to attack.
I mentioned above that past ransomware attacks have been stopped when the originating servers have been discovered or the perpetrator is discovered through the receipt of funds from victims. Unfortunately, these techniques won’t help with CryptoLocker. CryptoLocker uses a sophisticated array of servers for these attacks. Additionally, when some of the servers were knocked offline by whitehats – with the best intentions – some victims who paid the ransom were unable to decrypt their files because the private keys were no longer available.
As for tracing the perpetrators through payments, there are now anonymous payment services that get around this issue. Payment is expected in the form of a MoneyPak or BitCoin. This makes the payments untraceable.
How can you avoid getting attacked in the first place? Never click on a link in an email. Seriously. Many phishing attacks look pretty plausible. You’ll receive an email that looks like it came from DHL, FedEx, UPS, etc., telling you to click on a link to login to your account to deal with some shipping issue. Or you work with financial information, so you get an email that looks like it comes from Intuit, with an attached zip file that you are told is a necessary upgrade to your software, or it’s software being given to you for free. Or you receive an email that looks like it comes from a bank, telling you that they’re having a hard time contacting you about a money transfer. Many emails spoof PayPal or eBay.
Any time you receive an email that offers you a link – especially when it’s a link to login to your account to deal with something – do not click on the link. Instead, go to that site directly by typing in the URL in your browser, and login from the front page of the site. (If you don’t have an account with them, or you’re not expecting a package from them, or you don’t have that software, don’t be gullible – it’s an attack. No one is contacting you via email about money transfers or packages that you don’t know about.)
The lessons here are to avoid getting attacked, which happens mostly via email or by using illegal download sites. More importantly, make sure you have cold backups of all of your files at all times. (Bonus Professional Option: Make sure the backups are usable! Some people end up having to pay the ransom because they discover that the backups are corrupted.) Everyone puts off backing up files until ‘later’. Don’t let ‘later’ be the day that you find out your files are being held ransom. (Can you live without all of those digital photos of your kids or your wedding that are not stored anywhere else?)
Right now, this is a Windows-only nightmare, but people using other operating systems (that’s you, Apple fans – I’m not worried about informing the Linux and FreeBSD users) should be aware of how ransomware works and why cold backups are necessary.
If you want to read more about it, here are some articles and other information sources:
(If you’re wondering why an archivist is writing about technology issues, it’s because I not only think about preserving paper and physical objects; I also think about preserving digital content. I’m particularly interested in ‘personal digital archiving’. That means I get to put on my propeller beanie every now and then. And my tinfoil hat. Maybe I should get a tinfoil-covered propeller beanie.)