The Problem with - and Genius of - CryptoLocker

If I had to venture a guess I’d say that in the last five weeks roughly half our commercial business has been dealing with victims of a CryptoLocker attack. Big businesses or small, some common themes have emerged:

  1. The Myth of Forensics
  2. The Reality of Human Nature
  3. The Value of Backups

The Myth of Forensics

Most of our customers are not entirely without knowledge of computer security and incident response practices, and inevitably someone has heard from a guy who knows a guy who read in a magazine once that you can find crypto keys in live memory. That’s true unless you’re dealing with CryptoLocker, which never lets the private key out of the control of its masters. Forensics can do a lot, but it can’t help you with CryptoLocker infection. Absent complete, incremental backups with snapshot-in-time capability (more on that in a second), your only real option is to pay the ransom.

The Reality of Human Nature

It wasn’t quite the “hacker” vs. “cracker” definition battle of the 90’s but it wasn’t that long ago that computer security luminaries were arguing about the value and utility of end-user security training. Any such program would of course have a block of instruction about “not clicking on email attachments that are the slightest bit dodgy” but of course CryptoLocker crafts its emails and attachments to be as (apparently) benign as possible. .WAV files from a Cisco voice mail system is one approach…and who among us hasn’t had it hard wired into us that such a file is obviously legit because, well, it comes from our own phone system? Even the best phishing training regimen cannot overcome human nature 100% of the time and in the end you’re faced with the prospect of having to pay a ransom.

The Value of Backups

The best defense against CryptoLocker has nothing to do with security and everything to do with basic, sound IT practices. With one exception, every victim we've dealt with just assumed their backup system was working. Usually it wasn’t. Sometimes it was but the time between backups left a serious enough gap that the business was going to take a serious productivity and financial hit anyway. The rest of the cases saw backups being stored on a shared drive enumerated on the network…which was of course found by CryptoLocker and encrypted along with the ‘live’ files. Except for the customer that set up and verified its backup scheme, everyone else ended up paying the ransom.

“Raising attacker costs” is a popular mantra among computer security talking heads these days, but no one is seriously attempting to make this approach a reality except for those working at the appropriate scale. Inevitably those espousing this approach are really calling for a greater investment on the part of the victim (on top of whatever unexpected IR costs they just had to pay) in order to procure yet-another proprietary “prevention” system that will eventually fail.

The genius of CryptoLocker is that it is not raising attacker costs, its “reducing the expense of response.” I’ve promoted this approach before (and have a vested interest in a particular, legitimate, approach) and as twisted as this may sound, CryptoLocker perfectly illustrates my point. No company, regardless of reputation or pedigree, has the cadre who can help you avoid paying the ransom. More to the point: no security company pitching customers on a traditional incident response to CryptoLocker works as cheaply as the cost of the ransom.

You may find the idea of paying a ransom distasteful (or worse). I know there is no shortage of security practitioners who think paying the ransom only encourages more bad behavior, but absent a perfectly executed backup scheme (or a time machine) there isn’t an alternative. The people behind CryptoLocker are in business. They’re sensitive to price and believe in customer service. As a victim of a CryptoLocker infection you have to strip away emotion and view this as a business deal.

Update: Please read our CryptoLocker FAQ to learn more.