At the end of 2013 the first signs of what would eventually become one of the most lucrative attacks for cybercriminals were spotted. Cryptolocker is the name of the most popular family of ransomware, which has ended up being used as the name for all threats of this type.

The threat always works on the same, simple premise: it encodes documents and demands a ransom in order for them to be returned.

They usually geo-locate the IP of the victim to show the message containing instructions on how to pay the ransom, which is always displayed in the language of the corresponding country. The payments have to be done using Bitcoin and all contact with the cybercriminal is carried out via Tor, which helps the attackers to remain at large from the authorities.

These attacks became more and more popular throughout the course of 2014, starting out with isolated attacks on individuals before turning their focus towards corporations, which turned out to be far more rewarding – the stolen information had a higher value and the ransom (usually around €300) was spare change to the majority of businesses.

In 2015 we have seen how they have fine-tuned the attacks to try and overcome any defenses that were put in their way:

  • They no longer commit errors when encoding files. These mistakes allowed security companies to create tools to recover documents without paying the ransom.
  • New families of threats have appeared – more groups of cybercriminals are using Cryptolocker, which has become the most popular type of threat at the moment.
  • All of them use Bitcoin as a payment method, meaning they can’t be traced.
  • They have focused on two paths of distribution:
    • Via Exploit Kits
    • By email with a compressed attachment
  • They are creating new forms of attack, and we have seen them start to use PowerShell scrips, which come by default with Windows 10.
  • In terms of mobile devices, although we have seen some attacks (such as that which changed the access codes to the device), they are still the exception to the rule.

How to protect against Cryptolocker

As regards protecting ourselves, we must remember that Cryptolocker has different “needs” when compared to a traditional malware – it isn’t persistent (once the documents are encoded, it doesn’t need to remain on the system and, in fact, some variations delete themselves), and it doesn’t care if it is detected by an antivirus (all that matters is that it can launch its attack before being detected, any time after that makes no difference).

Traditional forms of detection are now rather useless, as before launching an attack it will check that these technologies can’t detect the sample, and it will change itself in order to evade them if this isn’t the case. Behavioral analysis isn’t capable of detecting what it does in the majority of cases, as it usually installs itself in the processing systems to encode the files from there, making it look like a normal operation.

Only a system that monitors everything that is running on the computer, such as Panda Adaptive Defense 360, can be an effective method of stopping these attacks on time, before they put our documents at risk.