An Introduction to Crypto Viruses

By February 22, 2016March 25th, 2016Cybersecurity

Crypto viruses are a type of ransomware that have been very lucrative for cyber criminals around the world lately. Just this week, Hollywood Presbyterian Hospital notably paid $17,000 to their crypto captor to get their files unlocked so they could continue to do business.  In this post we will give some background on what a crypto virus is, how it enters your network, and what we can do to prevent it.

Crypto Viruses

All crypto viruses fall under the umbrella of ransomware. In general, ransomware works by holding files, servers, or other systems, “hostage” until the victim pays for their release. As of late, viruses such as CryptoLocker have gained a lot of notoriety. Generally, these crypto viruses work all in similar ways.

Anatomy of an Infection:

  • There are a few ways that and infection can begin. It can arrive as an attachment to an e-mail appearing to be from a legitimate source.  It can be inadvertently downloaded as a “drive by” from a malicious website.  It can be introduced from an employee’s home network when they VPN in.  It can piggyback on a malicious thumb drive.  The common thread is that the bad guys are able to get a file onto the network.
  • The user executes the file.  Usually, the malware will configure the system so that it runs again even if the machine is rebooted.
  • The virus then connects to a server somewhere on the Internet to receive an encryption key tailor-made for this attack (“command and control”).
  • The virus then uses the key it received to encrypt files on the user’s machine.  Once finished, it moves on to mapped network drives and starts encrypting every business file (documents, PDFs, Auto CAD files, etc) it comes across.
  • After the encryption process is complete, a popup appears on the user’s desktop or the background is changed. They are informed they have a time period (usually 3 to 4 days) to pay a certain amount of money. If they pay, they will be able to download the encryption key to decrypt their files and get back to business again. If they do not pay and let the time expire the encryption key will be destroyed along with any chance of accessing those files again.

This sounds like a bad movie but it is definitely a sad reality. We are seeing this occur across all industries, from Healthcare to Finance to Technology.  Nobody is immune.

What can you do to protect yourself?

While this threat can be terrifying, what Alpine has been preaching in all of our blog posts will decrease your chances of infections like this.  Remember that no solution is 100% effective, but there are tried and true methods that don’t have to break the bank which will improve your changes of stopping or slowing this kind of infection.

Infection Avoidance

  • User Awareness:  Your users are the first line of defense, and sadly your weakest point.  Train them to not click on unknown links or attachments.  Retrain them regularly.
  • Content Filtering:  Use content filters for all of your web surfing and email traffic., and make sure you keep the rule sets up to date on both.  This will filter out known bad actors from the two most common vectors of attack.
  • Security Architecture:  Implement secure cyber solutions that eliminate people’s needs to use insecure methods for things like file sharing, collaboration, and even music streaming.  If you make it easy to securely share files with the appropriate people, for instance, you’re less likely to have people bring thumb drives to work.  If you implement a sandboxed remote access solution (i.e. virtual desktops), you’re less likely to have a VPN connection leak a malware attack into your network.
  • Policy:  The security guy is never the most popular person in the room.  Even if he’s alone.  But you have to put your foot down and declare appropriate use of company resources. Implement GPOs to prevent USB mass storage (thumb drives).  Use a whitelist to only allow access to known safe websites.  Don’t give the CEO an exemption!  You won’t win friends, but you’ll save the company significant money and headache that results from an infection.
  • Application Whitelisting:  A more expensive, but also more effective solution is Application Whitelisting.  This means that every machine is only allowed to run the executable files that are on a known good list.  This requires quite a bit of effort to configure and maintain, but when done well, can dramatically reduce the aperture through which malware can operate.

Impact Minimization

  • Least Privilege:  Permission your users appropriately so they can do everything their job requires – and nothing more.  If a user doesn’t have access to a file in a network share, they cannot encrypt it even if infected!  This is not easy, but every effort to remove a user’s access pays off if that user gets hit with a crypto.  Oh, and NEVER use the “Everyone” security principal.  Always make your ACLs declarative.
  • Backups:  This should go without saying, but BACK UP YOUR DATA!  Then, MAKE SURE THE BACKUPS WORK!  Also, make sure the business understands the true impact of their RPO and RTO decisions, as there is now a real and present danger that could cause them to have to restore data from those backups.  If that backup is too old or hasn’t been working properly, you could be left with no other option than to pay the ransom.
  • Network Isolation:  If your data is in a subnet that doesn’t have access to the Internet, you’re less likely to have it compromised.  If users can only get to the data via controlled mechanisms (i.e. through a web front end, perhaps) and with a controlled set of verbs (put, get), you achieve multiple goals — less complex malware won’t know how to deal with it, and you have an easy valve to turn off access to people who may get infected.

What about Anti-Virus?

If you take one thing away from this blog post, please let it be that ANTI-VIRUS IS NOT A SOLUTION TO CRYPTO MALWARE.  Most anti-virus is less than 50% effective, even for malware it knows about.  Most anti-virus programs are signature-based, which means they identify malware based on the fact that other people have been hit with that malware already.  That doesn’t help with most modern threats, which change their form just enough to evade such identification mechanisms.

As you can see, crypto malware is a multifaceted problem with a lot of different mechanisms to minimize the impact.  Talk with your friendly neighborhood cyber security solutions practitioner and come up with a couple of plans — one for reducing your risk, and the other for cleaning up if you get hit.  But you can’t just ignore it anymore.

Frank Urbanski

Author Frank Urbanski

Frank worked for 8+ years as a Software and Cyber Security Engineer within the defense industry. At Alpine Cyber Solutions Frank oversees the Security Services line of business. He has his passions set on Incident Response, Automation, and Threat Management.

More posts by Frank Urbanski

Join the discussion One Comment

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.