CryptoLocker Goes SpearPhishing
You may be familiar with a site called Spiceworks. They have free system admin and network management software, and their business model is advertising to the hundreds of thousands that use the software. Their forums are a great indicator of what happens in the trenches of defending against malware. One thread that is incredibly popular has the title: "We fought a cryptovirus (and the virus won)."
The discussion goes on for many pages and indicates the level worry about this new wave of ransomware. Another indicator is Google Trends, which is currently at "100" which represents the peak search interest for the term CryptoLocker, and indicates that the level of infections out there is going up.
It looks like the CryptoLocker gang is ratcheting up their attack level, probably as a response to competition from the CryptoBit and CryptoDefense gangs. The latest infections are caused by emails sent to companies that have job postings at Craigs List. The bad guys look for job postings, and send resumes carrying the Cryptolocker malware as a payload.
The moment anyone opens these resumes, the ransomware kicks in and downtime is the result. Problem is, people involved with hiring are very often the people with the most access; the owner, CEO, HR or department heads.
Meanwhile, a fourth ramsomware strain is doubling in size. Researchers at Damballa Threat Research wrote on their blog that the number of Kovter infections doubled over the last month from 7,000 to 15,000 infections. These guys use the worst kind of shock to make people pay, in the form of first displaying child pornography and copying it to the victim's drive before encrypting their system and holding it hostage. Yikes.
It largely depends on how you have organized your backups, but reading about mitigating the many "crypto" infections, it takes from a few hours to a few days, and varies from an annoyance to significant losses because of lost files and lost time. The United States Computer Emergency Readiness Team (US-CERT) has a page about cryptolocker and how to prevent it. Please note points 4, 5 and 6: http://www.us-cert.gov/ncas/alerts/TA13-309A
I am quoting one of the spiceworks comments, made by Andrew-VEC on page 7: "If you enable Software Restriction Policy in GPO and utilize your AV product's application whitelisting feature, you will have reduced significantly the attack surface for most forms of malware. It can be annoying as you build restrictions for programs that don't install into Program Files or that launch off of CD, but knowing that a typical end user won't be able to run arbitrary programs creates peace of mind in protecting the network.
"You just need to employ typical best practices: LUA model, software restrictions, web filtering, AV filtering at the gateway, deep packet inspection on hosted services, encryption of protected files at rest and in motion, share access restrictions, data loss prevention techniques, and testing of backups/restores. Of course, always keep on the training. Your weakest point in any security model is the person who touches the keyboard."
Obviously I agree 100% with this. Stepping your users through effective education will make them think twice before they click on a link or open a possibly infected attachment. Get a quote now for the highly effective Kevin Mitnick Security Awareness Training. Click on the orange button at the right side of the screen to find out how affordable it actually is!
PS, If your antivirus product does not have a whitelisting feature, consider taking a look at the MalwareShield Beta which will block any crypto virus: This is the page where you can download the (early) beta: http://www.knowbe4.com/malwareshield-betadownload/