Page 1

CryptoLocker: A Risk, Concern for Data Driven Organizations

CryptoLocker: A Risk, Concern for Data Driven Organizations

Aditya Gopal Tiwari


CryptoLocker: A Risk, Concern for Data Driven Organizations


Introduction In today’s digital era, internet has brought convenience to banking, financing and health sector. One can simply pay bills from any part of the world with a connection to the web within seconds. Young students today are pushed towards tablets, online courses, submissions. Government is digitalizing offering to cater services to every common man located remotely through modern technology. While we are pushing ourselves towards the handiness we are being susceptible to not one but many threats. Data is everything in today’s world. The phrase “Knowledge is power” is likely to be in par with “Data is power”. Asking for ransom by kidnappers in exchange for hostage are these days replaced by ransom for data, files, sensitive information. What is more shocking is 40% of the people today end up paying ransom to the cybercriminal who steal data. Threat to one’s data, privacy, often personal files or information

forces one to pay the ransom

amount stated by cybercriminals. Not just the individuals the number of organizations being affected by ransomware is more than the individuals. Ransom is a very known term in the society. But the topic we are going to discuss and survey in dept today is Crypto Ransomware. What is crypto ransom? Crypto ransomware also known as CryptoLocker is a malware threat that looks for files on the computer to infect. It uses encryption techniques that makes it difficult for the user or the file owner to access his/her own data. Crypotolocker is a category of ransomware who extorts money from people in exchange of data that they held hostage by encrypting it. If user wants to access the data or file, the business model of crytolocker would end up making money out of it. Before we dive into CryptoLocker, we will take a step back to understand how ransomware works, the types

CryptoLocker: A Risk, Concern for Data Driven Organizations


of ransomware. Sources through which it infiltrates into the machines and finally look at current issues arising due to CryptoLocker. Ransomware installs secretly on victim’s machine. Ransomware can be broadly classified into two types: Cryptoviral extortion attack (Where the data of the end user is locked using encryption algorithms and user is forced to pay ransom in order to access or decrypt his/her own data).The second type is cryptovirology leak ware attack, ( in this type of attack, the attacker threatens to expose or publish the data of victim )The attackers abuse encryption algorithms to create malware virus that lock down data of the victim making it inaccessible. One of the common techniques used by ransomware attackers include tackling the entire hard drive of the victim. Other method is locking down the master file table. Attack on master file table is can be catastrophic as MTF is a directory that saves the locations of the files in an NT file system. Denial of service (DOS) frustrates the victim by denying the right to access their own files or data. The encrypted data need a decryption key to decrypt it. Without a decryption key it is practically in feasible for victim to decrypt the data. While encryption was created to secure the data, this is an unfortunate abuse of encryption mechanism. Summary Ransomware malware are installed into the victim’s computer with the help of disguised payload that appears like a normal file. These Trojans that are disguised as legitimate file can be hard to spot. While there have measures to stop ransomware attack, the approach often is not proactive. As per stats around 80% of the ransomware attacks exploit vulnerabilities in flash which are not patched. Ransomware can spread across a network

CryptoLocker: A Risk, Concern for Data Driven Organizations


by itself and it can infect all the nodes connected. Entire company’s data can be held hostage is such a mishap occurs. The way crytolocker enters the system is no different. It is very much capable of entering the system through a secured network through emails, downloadable content from the web, file sharing sites, etc. Several new versions of this malware are known to bypass the firewall and antivirus technologies. Once the code is executed, it encodes data files network shares, personal and commercial desktops. The preventive measures to blocks such malwares clearly fails which recalls for better techniques handle and deal with some of the underlying issues. CryptoLocker is a serious concern for data driven organizations. When

CryptoLocker is executed it maps all the

media drives that the host computer is connected to for varied types of files and folders. It then changes the name of the files, encrypts those files based on the level of permission the host user holds. CryptoLocker practices asymmetric algorithm RSA 2048 bit key to encrypt the data files. Public key is used by the attackers to encode the data or file. The attacker holds to the unique private key which is be used for decrypting the file or data. Crytolocker affixes extension to the file such as: .encrypted, .CryptoLocker, .(7 random characters). Lastly the malware would generate a file in every set of compromised directories. It would associate the file to the webpage page along with instructions that follow










cybercurrency.DECRYPT_INSTRUCTIONS.txt, DECRYPT_INBSTRUCTIONS.html are the residue files left for instructions. CryptoLocker malware or virus displays screen with warnings that designate destruction of data if user doesn’t pay for it. Since this is a trojan virus, it isn’t self-replicating. However once downloaded it can infect the system. It is very grim to detect this virus as it can even appear as a regular *.pdf or *.doc file attachment

CryptoLocker: A Risk, Concern for Data Driven Organizations


along the email. Several websites prompt you to download extensions and software which are disguised malwares. Antivirus can remove these viruses; however, antivirus cannot recover the encrypted data. Sounds astonishing but, there have been instances where users end up reinstalling these viruses back into the system. The reason behind it being unable to decrypt the data. As of data, once windows operating system computers are affected by this virus. As per survey CryptoLocker affected approximately 500,000 users through the year 2013-2014. “Operation Tovar� a set of security specialists who worked for FBI, Security agencies were able to halt the attackers (Clindy Ng, 2018). How to prevent CryptoLocker? Limiting access control. Given more data a user has access to, more likely the damage in an event of malware infiltration. There organizations should revisit in assigning and setting restrictions to a user. This is an important step as it can very well limit the scope of the attack and size of the data compromised. Ensuring this can minimize threat from internal and external performers or users. Another vulnerable target for the attackers is the shared folders which have access right set for all authenticated users, all users on the domain network, everyone etc. These are some common practices rather mistakes which can cause a big toll on companies, as it risks the entire hierarchy to all the actors in the system. Global access of the open shares should be carefully monitored and accessed. Although there are technologies available to eradicate global access group, creating a new user to scan open share using windows commands is no brainer. How to detect CryptoLocker? Monitoring file activities on the compromised systems. These systems create large chunks of open, modify operations within a very short duration of time at a high pace. For instance, if at a given time a certain user is responsible for modifying large number of files, it is an obvious conclusion that it

CryptoLocker: A Risk, Concern for Data Driven Organizations


is an automated. We could configure our monitoring tools to escalate or notify alerts when such behaviors, patterns are detected. Conclusion In today’s world, with growing data and data-driven organization data is the upmost important asset. Although a lot of business rely on the information and data, there have not been enough measures designed, audited by these organizations to ensure safeguarding of the data. Organizations need to train their employee to practice safe clicking. There must be a close monitoring of the sensitive files that are altered. Access control rights need to be revisited and closely assigned rather than making it available to everyone. Users must make sure they share their file, folders which authenticated users. Global access of the shared folders should be revoked and delegated to necessitating actors. Triggers to raise escalations, notifications to IT security could be a good step to start with. Furthermore, there can be a limit on the file, data a single user can modify. Lastly backing up data at regular intervals, encrypting the data can be an important step in ensuring the lost data can be recovered without having to pay ransom for the hostile data.

CryptoLocker: A Risk, Concern for Data Driven Organizations


References David Gibson, (2017), Article on How to Detect and Clean CryptoLocker Infections Retrieved from: Clindy Ng, (2018), Article on Ransomware Guide and Protection Retrieved from:

Azad Ali (2017), Ransomware: A Research and A Personal Case Study Of Dealing With This Nasty Malware Retrieved from: Segun I. Popoola, Samuel Ndueso John (2017), RANSOMWARE: Most Recent Threat to Computer Network Security Retrieved from: Keth Jarvis (2015), Article on CryptoLocker Ransonware Retrieved from: Juliana De Groot (2019), A History of Ransomware Attacks: The Biggest and Worst Ransomware Attacks of All Time Retrieved from:

Profile for Aditya Tiwari

CryptoLocker: A Risk, Concern for Data Driven Organizations