Cryptolocker & Security

By Jeremy Koellish, COO

How do you get cryptolocker-that nefarious malware that took down an LA hospital as well as your uncle’s dog walking business? Well, I’ll tell you. And I’ll also tell you how to avoid it, and what we, as an MSP, do to protect our clients from it. So gather around – this is about to get interesting.

#1 Way to get Cryptolocker: Drive by Ads

You know those display ads with flashing weird facial expressions that make you look and then encourage you to refinance your home or reduce your belly fat? Yeah, those ones. Sometimes attackers hide malicious code behind display ads, even ones found on reputable sites. It’s called malvertising (clever, right?) and you don’t have to actually click on them to have them start working – often the virus or spyware just starts running in the background. Nasty, right?

In order to imbed the bad code behind the ads, hackers exploit weaknesses in the browser plugins used to display the ads – usually Java. And Java makes it easy to be exploited by requiring constant updates to keep ahead of hackers, but since updating to the newest version of Java does not remove the older versions, the weak spots remain even after the update. So when Java updates rollout we automatically clean out the older versions to remove all of the weaknesses for our clients. We also employ security patches, web filtering and broad anti-virus protection for our clients.

#2 Way to get Cryptolocker: Email Attachments

You get an email from someone that may or may not seem legit and there is a .docm file attached. Seems harmless enough – how could a Word document have a virus in it? Well, it doesn’t. What happens is that once the doc is opened, Word will prompt you to ‘please enable macros’ which triggers a Trojan event resulting in a cryptolocker attack.

For these types of attacks, you are your own best first line of defense- when in doubt don’t click that attachment! After that, to support our clients, we keep the majority of malicious emails out of our clients’ inboxes by blocking macros when applicable and employ email filtering.

#3 Way to get Cryptolocker: Compromised Remote Desktop Protocol AKA The BIG One

Do you have employees who work remotely and access your network via RDP? If so you need to be sure you are not leaving your server wide open for hackers (covered here by our Senior Engineer, Ruby). But in a nutshell, here’s how it works: By taking advantage of weaknesses in your firewall due to direct RDP setup, hackers give themselves admin rights to your server and infect it your entire network. These are the $15,000 ransom attacks you hear about where the hacker holds all of your data – and all of the leverage if you don’t have backups.

When setting up RDP for clients, we secure servers with a Virtual Protected Network (VPN) to avoid man in the middle attacks such as these as well as employ SSL encryption. And beyond that, be your own hero: pick complex passwords and cycle them out, and when in doubt, resist the click.

Follow Jeremy on Twitter @JKoellish for more insights, How To’s and IT Humor