Is Your Business Impacted by the Cryptolocker Virus?
972-668-3130
"A Veteran Owned and Operated Business"

Has Your Business Been Impacted by a CryptoLocker Virus?

January 4, 2018 - By: Derek Veillon

Despite the enormous publicity surrounding the staggering losses created by CryptoLocker and its variants, few small businesses have taken steps to prevent it. In this article are some of the best ways to avoid lost revenues and other negative results of ransomware infections.

Know the Facts of CryptoLocker

Despite common misconceptions, CryptoLocker and similar malware spreads through certain methods such as:

  • Opening a ZIP file from a spam email that’s disguised as normal correspondence
  • Drive-by downloads that occur without clicking a link or an acceptance button
  • Pop-up ads

Once the machine is infected, CryptoLocker takes the following steps.

  • It creates an autostart registry entry that hijacks the .exe file extension, so programs delete shadow copies and prevent local restoration.
  • It finds and communicates with command/control servers to get a public encryption key for the machine’s data.
  • It scans network and physical drives for common file extensions and encrypts those files, making them completely unusable.

The machine’s user then sees a ransom screen that demands the payment of a certain amount of bitcoin within 72 hours, in exchange for a private decryption key. Much of the public is unaware of the risks of CryptoLocker, and most malware removal tools will remove it, but the files will remain inaccessible.

    

Block .exe Files in MS Office 365

The most effective way to block the virus in Office is to block all attachments containing .exe files. Take the following steps:

  • Log into Office under administrator privileges
  • Click Exchange under the admin menu on the left
  • Click the Mail Flow option
  • Create a rule that blocks executable content
  • Click More Options to see available rule options
  • Apply the new rule to all attachments with executable content

Now these messages will be deleted without notification. While Office 365 makes up about 70% of the Internet’s email services, similar options are available in other spam filters. There’s no real reason to get .exe files by email, but exclusion conditions are available.

Turn On Filtering for Malicious Websites

Filtering is a bit controversial because many apps show a continuous connection, making it impossible to find out how long someone has been online. There may be conflicts between business and personal activities, but the desire to avoid malware is universal. Therefore, most firewalls offer categorical web filtering that automatically blocks sites known to be risky.

Use Cloud Management to Protect Devices

Today, people do just as much work away from the office as they do while there. This means that onsite antivirus and software update systems can’t provide up-to-the-minute protection for most users. With cloud management services, security policies are automatically enforced and updates are pushed to devices whenever they connect to the internet. Furthermore, users can see each device’s real-time status to run malware scans, pinpoint infections, and perform full wipes.

Take Away Local Administrator Privileges

Somewhat surprisingly, some business apps still require users to have administrator privileges. Nevertheless, most users shouldn’t be in a local machine’s admin group; this prevents apps from running without the proper authorization. Users should have to enter a local admin username and password to install new software. While this is inconvenient, it can prevent malware and inadvertent system changes that can do immense damage. Local admin passwords can be changed as necessary, and advanced permissions can be granted on an as-needed basis.

Turn on System Restore

With system restore points, users and system owners can recover from bad driver updates and malware. Access it by opening the System Protection menu, which is in the Control Panel. System Protection is another important option; it has to be activated under the Configure menu. By rolling back to an earlier restore point, users can efficiently and quickly remove malware.

Implement Software Restriction Policies

Since CryptoLocker first became a problem back in 2013, a surprising number of enterprises haven’t formed software restriction policies to prevent it. Start by creating a group software restriction policy that blocks %LocalAppData%\*.exe files. This step requires testing, but it’s likely that the policy should be applied domain-wide. While users may have to use GPUPDATE /FORCE, restart a machine several times, or wait a day for the restrictions to take full effect, these restrictions are beneficial in preventing virus outbreaks.

Set Up AppLocker for the Environment

AppLocker provides enhanced restriction policies that are based on a file’s attributes, such as version, publisher, and digital signature. Policies can be deployed by user or security group, and they can be managed via PowerShell. There’s a step-by-step guide that covers the most common scenarios, and Microsoft Virtual Academy has plentiful resources as well.

Avoid OneDrive Syncing

As many have found, it’s not very practical to sync large amounts of data at regular intervals. If OneDrive files or other cloud data are synced to a local machine, it becomes vulnerable to CryptoLocker infection. When current apps such as MS Office are opened, OneDrive is one of the open locations. OneDrive can be added to a Favorites menu, and the link is a URL that’s inaccessible to CryptoLocker.

Put Data in SharePoint Online

Just as in the example above, data stored in a SharePoint Online document library is accessed via a URL rather than a drive letter. Not only is it inaccessible to CryptoLocker and similar viruses, the data can be used in Explorer just like any other folder. With SharePoint, users can find out when a file was last accessed and/or modified, and by whom, and they also get change alerts and previous versions. Data is more accessible, and users escape the tedious job of updating and maintaining another server.

Set Up SAN Snapshots

If a user has over a terabyte of data, they should consider a SAN, or storage area network. Apart from providing central storage for diverse servers, users get faster file access and easier storage expansion. Unlike a shadow copy held on a server, a SAN snapshot can’t be infected by a virus. With SAN snapshots, it’s easier to perform restorations and recover from CryptoLocker. These snapshots simplify compliance with schedule retention requirements and they use less storage than local copies. Furthermore, they can be replicated externally for additional protection.

Ensure Complete Retention and Backup

Because of the simplicity of online backup, many users don’t learn what’s being done or what they get for the price they pay. Many providers, to lower costs, perform limited backups without retention. In many cases, restoration tasks either fall to the customer or are separately billed. When CryptoLocker strikes, an unknowing user may find that restored data is a combination of files created since the online backup process started. Here, restoration can take several days rather than a few hours. To prevent CryptoLocker damage and other related difficulties, choose a comprehensive backup and retention solution.

Put These Strategies Into Play

When users implement the above strategies, they can prevent revenue losses and other damages associated with a CryptoLocker infection. If a small business owner needs help, they can contact a reputable IT company for advice and service.