The rate of infectious emails has risen, says AppRiver, for the fourth consecutive month. "In the last 30 days, AppRiver’s spam filters quarantined 56.6 million emails that contained a virus as an attachment", said the company in a statement Monday. "And CryptoLocker is still the biggest piece of malware being trapped."
CryptoLocker is an advanced form of ransomware that has been wreaking havoc over the last few weeks. Earlier ransomware that threatened to encrypt victims' computers sometimes did and sometimes didn't do so; and sometimes used a form of encryption that could be broken. CryptoLocker is different – it really does encrypt victims' computers, and it uses public key encryption to ensure that the encryption cannot be broken nor the the data retrieved without access to the private key.
Once infected, victims have a stark choice: pay up, rely on having adequate back-up, or lose data. “Given the key arrests that were made involving the author of the Blackhole Toolkit, and given the fact that its use was the most widespread, it's natural to assume that there’d be a decrease in malware," comments Troy Gill, senior security analyst of AppRiver. "But that’s not been the case. Instead our intelligence confirms that the criminals that were using it simply jumped ship and moved on to a toolkit by the name of Magnitude and, very quickly, it was business as usual for them." That business seems to be largely CryptoLocker.
"So far," says AppRiver, "reports have stated that those who pay the ransom do in fact receive the promised encryption key and are returned access to their important files – although there have also been multiple reports of those who have paid and have not received the key."
"The source of infections is usually an e-mail, using social engineering tricks to fool the user into running and opening the attachment," PandaLabs' technical director Luis Corrons told Infosecurity. "This attachment is a ZIP file, password protected. The password is included in the message body of the e-mail."
Detecting and removing the actual malware is trivial for anti-virus companies. The problem is that the the criminals behind the malware keep changing the packer to obfuscate the malware. The danger then is that a user can activate the email attachment before the AV software is updated with the latest signature to detect and remove it.
It seems, however, that the criminals are now accepting 'late payment' for the decryption key; although the charge for a late payment rockets from $300 to $2000. The solution has to be to avoid infection in the first place. Failing that, Panda Security offers a new approach that combines traditional AV blacklisting (to protect the computer) with whitelisting technology called Data Shield (to protect the data)
"This technology not only protects your data against encryption attacks," explains Corrons, "it works in the same way against data theft attacks." Data Shield allows the user to specify files or folders to be protected from non-whitelisted applications or processes. "Anytime a process tries to access data on any of the protected folders, it won’t be allowed (unless it is a whitelisted application)," said Corrons. That whitelist will clearly not include any malware at all, not just CryptoLocker. "Anytime a non-whitelisted program tries to access those data, the user is asked whether they would like to allow it."
This Panda Security solution to new breeds of advanced malware highlights the view of security researchers such as Harley and Cluley: the solution to modern threats is to combine both blacklisting and whitelisting technologies. Failing this, suggests Gill, "the best thing you can do is to create hard backups of important files. This way if you become infected you can simply wipe your machine and start fresh."