Although initially targeted at consumers, so-called “ransomware” has continued to make headlines as cybercriminals began shifting their attention to vulnerable businesses. The malware works by encrypting files on users’ computers and then charging fees to unencrypt these files. Organizations ranging from law enforcement to large enterprises have been hit and the entire family of malware (generally variants of the original Cryptolocker malware) has proven quite lucrative for cybercriminals.
The latest variant in the news is Cryptowall, which the FBI reported this week has cost US consumers and businesses $18 million. The costs internationally appear to be much higher from this single variant. With new variants continuing to circulate, we decided it was time to revisit Cryptolocker and provide some practical information for our partners, customers, and anyone looking to protect themselves from these potentially very expensive infections.
Without proper layers of protection, infection with Cryptolocker often comes down to users. Most users will now steer clear of emails that ask for banking details, but if they get a message that seems to come from the post office or mailroom, for example, telling them that they have a pending letter, will lower their guard - they are not asking for any personal information and think it is safe to click on included links. They will even fill in the CAPTCHA that cybercriminals are brilliantly placing on sites linked from these emails to avoid some automatic tracking systems for the content of websites infected with malware.
The most common vector of this type of malware attack remains email. FortiMail is Fortinet’s email security platform. It uses multiple techniques for the detection of spam and viruses being sent by email. Apart from the more traditional anti-spam systems, FortiMail also enables scanning of the URIs in the message body and compares them with Fortinet’s Web Filtering database. Thus, if an email message contains a link to a URL associated with phishing attacks, malware delivery, etc., it can be detected even if the message itself does not come from a known malicious or compromised mail server. As a result, it can detect spam (including those bearing ransomware) that most traditional techniques would not pick up.
Apart from this, FortiMail can also interconnect with Fortinet’s sandboxing platform (FortiSandbox). FortiSandbox allows all suspicious attachments, even those that haven’t been previously categorized, can be examined in a controlled environment. The inspection happens at near line speeds and the email doesn’t get forwarded to the recipient until it’s deemed safe. Otherwise, it is cleaned or discarded.
Not every organization has the scale to justify dedicated email gateways and sandboxes, though. Robust client antimalware, though, like FortiClient, gives another barrier that can prevent infection with this malware, even when clients aren’t on the network. FortiClient not only provides antivirus (soon to be integrated with FortiSandbox), but also includes web filtering mechanisms that can detect links to phishing sites, malware, etc. .
If the workstation antivirus is not able to detect the malware, the user may be protected by other network security systems, e.g., the Fortigate next generation firewall. So if users try to follow a link to a phishing or malware site, FortiGate’s web filtering mechanisms can also prevent access and inspect traffic with its own AV engine.
Regardless of the exact implementation (which should be driven by business requirements), the key to protection against a variety of malware, Crypto* included, is layered security. Client software, firewall, email gateways, and sandboxes should all work in concert to ensure that malware is detected and mitigated, no matter what the vector or infection point. These layers all work at different moments in time as well, providing multiple opportunities to prevent and contain infections.