In this article, I'm going to:
- Answer the ongoing question about the viability of a local solution
- Explain how Cryptolocker works in plain English
- Explain the real ways to beat it
To my credit, I'm probably one of the few techs in Albuquerque to beat Cryptolocker. I did so on a local Albuquerque business' computers. Let's call this business owner Bryan for simplicity. I've received a few emails from clients claiming that they've received email claiming Malware-Bytes Pro prevents Cryptolocker. More on that a little later. On with the questions!
1. Malware-Bytes Pro does not prevent infection. If it did, the Malwarebytes blog would be trumpeting their victory to the world. Instead, they're staring wide-eyed at the problem in an article entitled, Tracking the Locker.
2. Cryptolocker works so well because it makes perfect use of a technology we already have: encryption with perfect forward secrecy. Here's how Cryptolocker works in a single sentence. Unlike previous ransomware, Cryptolocker generates a unique crypto-key (password), uses the date and time to connect to a constantly changing set of Web sites to store that unique key, encrypts your files with the crypto-key, tells the Web site when it is done with its encryption, and deletes your computer's local copy of the crypto-key.
3. No anti-virus software will ever prevent you from installing software. They may warn you, but will never completely stop you. Luckily, I've got ways to prevent infection, as well as a foolproof method to kick Cryptolocker to the curb as I did with Bryan's infected system.
The real way to beat this attack is, as Bryan in his infinite wisdom implemented by my suggestion, an incrementally cycling backup which not only backs up files, but also makes version-specific backups of those files on a a regular basis. Bryan's bulletproof backup uses two Drobo drives, one at his house, and one at his office. I programmed these massive storage arrays to securely sync with each other so only simultaneous physical destruction of his home and business would have a chance at affecting his data. Now that's bulletproof backup! When his employee's system became infected, we merely looked at the computer's backup logs and found the backup just prior to infection. Next, we completely formatted the computer, re-loaded Windows, and restored the files on the fresh copy of windows with the clean copy of his backups.
Since not all businesses have Bryan's foresight, here's their chance to prevent Cryptolocker on any system so they have a chance to call Nerds Limited for a similarly excellent backup solution. Since Cryptolocker uses encryption to do its dirty work, the way to beat it is to install SRPPR (software restriction policy path rules) to prevent newly installed applications from implementing their own encryption. Pretty cool, eh?
FoolishIT LLC was kind enough to create a free utility called CryptoPrevent that automatically adds the suggested Software Restriction Policy Path Rules to your computer. Here's how the installation looks when you run it:
A new feature of CryptoPrevent is the option to white-list any existing programs in %AppData% or %LocalAppData%. This is a useful feature as it will make sure the restrictions that are put in place do not affect legitimate applications that are already installed on your computer. To use this feature make sure you check the option labeled Whitelist EXEs already located in %appdata% / %localappdata% before you press the Block button.
This is something you should have a tech do for a larger office as some apps need encryption and needed to be added as white-listed.
Since Cryptolocker uses the date and time of infection to store the crypto-key, business who use OpenDNS' Umbrella service are virtually immune to Cryptolocker because it won't begin encrypting your files until it has successfully stored the crypto-key on a randomly generated Web site. They're out to make money, not destroy data. Since DNS is the way a computer resolves a Web site, when a new crypto-key site is created, OpenDNS is the service used to resolve that domain name. For example, google.com gets looked up by DNS to tell your browser Google's IP address. The same is true for Cryptolocker.
So what's the difference you ask? With Open DNS's Umbrella service for businesses, all the Web sites looked up by your business are looked up through OpenDNS which logs them and can very quickly prevent connections to bad, Cryptolocker sites. For more about how OpenDNS' Umbrella works, take a look at this page.
If you're a business in Albuquerque and are worried about Cryptolocker, call Nerds Limited for a real solution to this rapidly spreading, highly destructive infection. We never charge for phone time and would love to help! Call or text any time: