Ransomware like CryptoLocker is a game changer in the malware wars – and not in a good way

The rapid spread of CryptoLocker, an example of a malware category known as ransomware, is upping the stakes in the cyber security wars. I think it is a game changer.

Ransomware is malware that steals your data by encrypting it, and then demands a ransom to decrypt it. The latest breed of ransomware uses strong encryption, and the key to decrypt it is only held by the criminals. I have not heard of any successful decryption without paying the ransom.

Why a game changer? The first reason is that the consequences of infection are more severe than was the case with most previous attacks. Previously, your infected machine might send out spam and cause you problems by getting your genuine email blacklisted as well. Or you might have passwords to online accounts stolen, leading to fraudulent transactions where in most cases you can recover the cost from your bank. Or your machine might have to be be wiped and applications reinstalled, which can be expensive if you need professional help as well as inconvenient when you have many applications to reinstall.

Malware like CryptoLocker is different. If the infection succeeds in encrypting data for which you do not have a usable backup, it gives you a difficult decision. Pay up, thus financing the criminals and perhaps making yourself a more attractive future target, or do not pay, and suffer the loss of whatever value that data has to you or your business.

That value may well exceed the ransom amount, which suggests that the rational thing to do in these circumstances is to pay up. That is risky though, not only because of the long-term consequences but also because there is no guarantee that it will work, or that the cost will not escalate. You are dealing with criminals after all.

Some people are paying. For example:

We paid as our client did not have new enough backups of the files. It encrypted 90,000 files in 5 hours, silently and then announced itself.

For reference, we researched this for 15 hours straight before paying and it really was the last resort.

Since this type of attack is highly profitable, it seems likely that we will see increasing frequency and variety of attacks, until the industry figures out the best way to counter the threat.

The best defence, of course, is not to get infected. The second best defence is to have a reliable disconnected backup. In general, data on servers or in the cloud is more likely to be protected, because it is more likely to be backed up or have a file history so you can revert to an earlier version; but bear in mind that malware executes with the same rights as the user, so in principle if you have the rights to modify data then the malware does as well.

Synchronisation services, now popular with applications like Dropbox and SkyDrive, can work against you if your encrypted documents are dutifully encrypted across all your devices.

Here are my immediate questions:

  • What is the most effective way to prevent infection? We are confronted with the failure of anti-virus products to protect effectively against new and rapidly mutating threats.
  • How much safer is a Mac? How much safer is Linux?
  • How much safer is Windows RT (a lot)
  • How much safer is an iOS or Android tablet?
  • What action, if any, should system administrators take now to protect their users?
  • What will Microsoft do to protect its users?

It would not surprise me if this kind of threat drives the industry more towards locked-own operating systems, whether Windows RT, iOS or Android, to the extent that a full operating system like OS X or Windows x86 is only used by those who specifically require it.

For more information about CryptoLocker see for example:

Sophos: Destructive malware CryptoLocker on the loose