Friday 20 June 2014

Nice filesystem you've got there...

"Nice filesystem you've got there.  Be a shame if anything... happened to it.  Know what I mean?"

It's a stock phrase used by thugs in extortion rackets in countless movies, TV shows, and video games.  It's also exactly the threat that Cryptolocker presents.  Cryptolocker is malware that when activated will encrypt all the files that it can write to, and hold the decryption key hostage.  If you pay the thugs the extortion money before the clock runs out, they give you the key, and you get your files back.  If not, your files are gone for good.

The media love using the countdown timer in Cryptolocker as a background, all the while talking about this new threat, and how the government should be doing something about it.  Except of course that it isn't really new.  It's just the latest way that criminals have found to monetise malware now that the fake-antivirus market is drying up.  And it won't be the last.

Don't get me wrong, it really is a serious problem both for individuals and for business, but it is relatively easy to avoid, and even possible to recover from without paying the criminals, but only if you plan ahead.  Here's the plan:

1.  Patch everything.
Most malware uses known vulnerabilities in operating systems and software applications to take over your computer.  If they are patched, they block the initial attack.

2.  Run current and up to date antivirus on all computers.
If the criminals can't use an unpatched vulnerability, they will try to install the malware by tricking you into clicking on a bad link, or opening a bad attachment.  If you are running a current antivirus solution from any reputable vendor, then the vast majority of this sort of malware will be blocked before it can be run.

3.  Make regular backups and ensure the backups are offline.
Even in the worst case where the malware has encrypted all of your files, the criminals aren't the only place to recover them from if you have a recent backup.  While it's very convenient to keep a USB backup drive connected to keep the copies, if you can write to that drive, then so can the malware.  After you've made a backup, disconnect the backup drive.

4.  Restrict user access to read-only everywhere except where required.
Cryptolocker will encrypt every file on every network fileshare it can write to.  In a business most users should not have full write access to all the corporate data repositories.  Restrict access either at the share level or the filesystem level.

5.  Have a response plan.
When the worst does eventually happen, and all the protective controls fail, having a plan means that you won't make the situation even worse by panicking.

Remember the threat over the next few weeks is no different from the threat over the last few weeks, or months, or years!  The media just has a new bone to chew on, but the defences are exactly the same as they have always been.  Just don't pay the criminals.

No comments:

Post a Comment