A Q&A with Michael Tanji of Kyrus
The introduction of CryptoLocker “ransomware” poses a new security threat to organizations—in fact, one of our customers was recently hit with this hostage-taking nuisance. To get a better sense of what CryptoLocker does and how it can be stopped before any damage is done, I spoke with Michael Tanji of Kyrus.
Can you please explain in layperson terms what this virus is and what sort of damage it can wreak on an organization?
We call CryptoLocker ransomware because when it infects a system it encrypts the files and keeps the encryption key locked away, so that the only way to get access to those files is to pay a ransom. Ransomware is not a new class of malware, but CryptoLocker is far and away the best of this class. It’s only a couple of months old and it’s already infected a wide range of organizations of various sizes—it’s pretty indiscriminate. Just who is behind CryptoLocker is not known. We do know that they are pretty sophisticated in their understanding of cryptography and they have been able to deal with a large volume of victims so that speaks to their ability to operate to scale. It may be weird to say this about a criminal endeavor, but this is really an enterprise IT operation.
What do the people perpetrating the crime, whoever they may be, stand to gain from this?
The motive is purely financial. There has to be a level of trust there, too—if they were going around and taking ransoms and not turning over the keys the whole thing would fall apart, so these are very business-oriented people. They’ve probably made millions of dollars and they’re not going to jeopardize that by being unreliable.
How does it work? How might CryptoLocker slip through traditional security defenses such as antiviral software (AV)?
There’s no actual malware or virus in the initial attachment, so it’s not something that would be detected. It’s a very simple program. Once you double click on that benign-looking attachment, usually sent to you in an email—it might appear as a zipped PDF or audio file like a voicemail coming from someone you know—and then it downloads the malware. At that point it’s already bypassed the AV and it’s encrypting files. By the time an AV company figures out the file used the perpetrators will change it, so AV will detect it after the fact—it won’t prevent it.
What can be done, then, to mitigate or prevent it?
To detect and stop CryptoLocker before it can encrypt all your files, you’d have to have a security solution such as Carbon Black in place, monitoring the system constantly for CryptoLocker-type of behavior—not the files used by CryptoLocker per se. Carbon Black is unique because it runs all the time so you could catch CryptoLocker in the act. It is equally important to ensure that your backups are working. Test them! We’ve had a number of customers who thought their backups were working only to find out once they become victims that they were wrong. Finally, train employees to be suspicious of attachments; it only takes one click to get infected, and in a large enterprise that’s sharing files and drives, that one click will enable CryptoLocker to access everything. If employees do notice errors or corruption warnings when they try to open files, they should turn their computers off to stop CryptoLocker from working on that system. At that point forensics could pull any unencrypted files from the victim’s drive.
What steps must be taken to remedy the damage?
Once it’s run, you really only have two options. If you have a backup you can restore your system from that. But if you don’t, you have to pay the ransom demanded, and you won’t get your files back unless you do. Some people have a serious ethical problem with paying for the ransom and I don’t disagree, but you have to put your morals and emotions aside in this case—if there are no backups you stand to lose the lifeblood of your business. Calling a security company to do traditional incident response will cost more than the ransom and in the end it won’t help because no amount of forensics will get the key needed to unlock your files. It’s best to think of it as a business transaction.
Assume you do pay the ransom: what’s the procedure and what’s the typical cost?
The magic of CryptoLocker is that the ransom is always more cost effective than any kind of incident response. If you pay within 72 hours, it’s usually 300 dollars, payable in Bitcoins. Beyond 72 hours the cost goes up. If you call an incident response company they should not charge you any more than a few hundred dollars to help with the transaction and decryption. The perpetrators even provide a program to decrypt the files and maintain an online forum with FAQs to help people having trouble getting their files back.
We thank Mr. Tanji for illuminating this emerging tricky threat for the cyber liability insurance industry. We’ve already seen CryptoLocker in action on a firsthand basis with several of our clients. The unfortunate reality is that while staff education about threats (e.g., don’t click on email attachments from strangers) can help prevent some attacks, awareness campaigns are not a perfect salve and bad guys will always be able to exploit this weak spot.