When IT professionals think of data protection, they think of protecting that data from accidental deletion or catastrophic loss from a disk array failure. The goal of the data protection process is to maintain access to data when these events occur. There is however a type of loss of access that is occurring more and more frequently, which is loss of access because data is taken hostage by a CryptoLocker type of application. Recovering from a CryptoLocker style attack requires more than data security, it requires a new attitude towards data protection.
In this series, we will examine some specific types of threats to data security and who may be most at risk.
A Brief History
Back in 2013, a malicious new type of ransomware Trojan, called CryptoLocker, made all the headlines and television news reports across the world as it seemed to be popping up everywhere. Ransomware is not a new concept. In fact, there had already been any number of other ransomware programs reported as far back as 2006, which were infecting thousands of computers long before CryptoLocker made the news.
Ransomware is a type of malware, which is short for malicious software, which limits or prevents users from accessing their computer system or data until they pay a ransom through some type of online or electronic payment method in order to be granted access to their system or data. The term Trojan refers to a Trojan horse, which is a malicious program disguised to look like a legitimate document, email attachment or utility program.
Previous forms of ransomware would do things like locking a computer system screen or encrypting parts of the OS (Operating System) so the system could not be used until you paid the ransom. But these tactics could be disabled fairly easily by knowledgeable IT personnel. In most cases, you could reboot the system from a recovery or bootable CD/DVD and execute some type of anti-virus program or malware removal tool to remove the ransomware and restore system access. Worst case, you could reload the OS using the repair function and if necessary, restore your data from a recent backup.
But CryptoLocker upped the ante in a unique way. Instead of going after the OS or simply locking the system up it encrypted all the data files on the system that matched its list of file name extensions. It usually targeted document files, spreadsheets, database files, graphics files, drawing files and various other types of data files that would be important to any user or business. It used very strong but standard AES and RSA encryption making it impossible to decrypt the files without getting the private encryption key from the malware author.
Your only options were to pay the ransom by various online or electronic payment methods like Bitcoin, and hope the criminal would actually give you the private key, or clean the system and restore your data files from your last good backup. Naturally, any data that was new or changed and had not been backed up yet would be lost. The criminals demanded payment via specific electronic online services or Bitcoin, which is a relatively new electronic currency that appeared in 2009, because they made it nearly impossible to trace the financial transactions back to the malware author.
In May 2014, a coalition of various law enforcement agencies in the US, Britain and various other countries, were finally able to locate, confiscate and shut down the servers and botnet that were the main sources of CryptoLocker.
Defending Against CryptoLocker’s Successors
While CryptoLocker is gone, that does not mean that this type of threat has been eliminated. Symantec security experts reported at the end of 2014 that ransomware attacks had actually increased by 113% in 2014. Various new types of ransomware that copy CryptoLocker’s strategy are being reported by various anti-virus software companies even today. Microsoft security experts reported that over 500,000 PCs have been infected by Crowti (also called Cryptowall) and Teslacrypt ransomware families in the first half of 2015 alone. Therefore, this type of threat is still a danger today. Additionally, this is not the only threat to data security today.
Large organizations usually have robust data and system protection resources ranging from anti-virus/anti-malware software on all their systems to sophisticated network UTM (Unified Threat Management) edge devices capable of enforcing various security policies as well as detecting and blocking threats as they develop. These security policies insure proper deployment and configuration of anti-virus/anti-malware software to all systems in the enterprise, including endpoint systems like laptops and BYODs (Bring Your Own Device) that belong to workers. They also have knowledgeable IT personnel as well as various methods of protecting the data with various types of backup technologies like snapshots, replication, and cloud storage, to name a few.
But is this really enough to properly insure data security in an enterprise setting? And what about the SMBs (Small to Medium Businesses) which often lack the budget, knowledgeable IT personnel, UTM edge devices and a reliable method of protecting their data?
In our next installment, we will take a closer look at possible weak points in both an enterprise setting as well as the SMBs.