Cryptolocker Attacks, Ransomware Target Small Businesses: Cisco


Cryptolocker, the notorious ransomware threat that encrypts computer files and extorts payment from a victim for the decryption key, is increasingly infecting small businesses' systems, according to researchers at Cisco Systems Inc.

The encrypted file types that Cisco researchers have examined appear to be QuickBooks accounting files, small databases and other application file types that indicate infections are spreading beyond consumer PCs. The ransomware's makers are spreading Cryptolocker in a "shotgun-style blast," as part of an effort to infect as many victims as possible, said Jaeson Schultz, a threat Research Engineer for Cisco's Threat Research Analysis and Communications (TRAC) team.

"These guys are using botnets and are hitting our spam traps pretty hard," Schultz said. "We're seeing more small businesses with their systems connected to the Internet."

[Related: Cryptolocker: 5 Ways To Defend Against Ransomware Threats]

In a briefing with reporters on Monday, Cisco researchers said ransomware attacks, a longstanding problem, have grown significantly in 2013. The malware is a successful business for cybercriminals, with the FBI calling it a $150 million-a-year industry. The threat, which comes in various forms, is growing in sophistication, encrypting files and even stealing account credentials.

Cryptolocker infections surfaced in September. The malware uses high-grade encryption, making it virtually impossible for victims to crack the locked files without paying the ransom fee for the key. Once a system is infected, victims have 90 hours to pay the fee. The ransom payment is paid in Bitcoin digital currency and can cost hundreds of dollars or more depending on the Bitcoin market rate.

"You would need a nation-state to sponsor you with their supercomputers to decrypt your files," said Craig Williams, a threat researcher also on Cisco's TRAC team. "They did this in a very professional way."

Solution providers told CRN that some small businesses have paid out the ransom to decrypt the files. The best defense to the attack is the use of standard security best practices to prevent an infection in the first place, said Ben Goodman, President, 4A Security, a managed security service and risk management consultancy based in New York City. File backup is an essential cyberdefense, Goodman said.

The malware has been seen encrypting automated cloud-based backups, and some security experts recommend businesses maintain a daily or weekly offline backup to reduce the impact of an attack.

"There's definitely a heightened sense of awareness about Cryptolocker and that helps reduce the risk of an infection," Goodman told CRN. "We're running vulnerability scans and ensuring they're updated with the latest protection to prevent an attack."

Cryptolocker's wide distribution indicates that its creator spent a lot of time and money getting it developed and is trying to cash in with as many infections as possible. Cybercriminals are spamming it out using as many botnets as they can, said Cisco's Schultz. Unlike other ransomware that is rented out to a variety of attackers, the Cryptolocker malware is very likely being tightly maintained by the same cybercriminal group.

In addition to backing up systems, cloud-based antivirus, intrusion detection and prevention systems, unified threat management appliances and other network security systems that block known IP addresses with bad reputations can all greatly reduce the risk of an attack, the Cisco researchers said. Small business owners should check to ensure that the systems they have in place are configured properly and maintained regularly, they said.

In addition, driving up ransomware attacks is a threat called Browlock. The attack, which is being detected on a lot of consumer systems, can detect the location of the system. It then displays the law enforcement entity associated with the country, showing a warning message that the computer has been locked for a computer violation.

Attacks have been widespread, including in the U.S. Browlock doesn't encrypt a victim's system; it uses Javascript to prevent the victim from closing the warning window, Cisco said. The cybercriminals use online payment operators in the country where the infection takes place.

PUBLISHED NOV. 25, 2013