Blog :: Security Operations

Cryptolocker Detection On Your Network

It lurks on the internet, it hungers for personal information, it waits until you download that seemingly innocent file… it’s Cryptolocker.

What is Cryptolocker?

Cryptolocker, which is a type of Ransomware, has been around since 2013; however, it hasn’t been making media headlines until recently. As of late, Cryptolocker has been making news headlines as it threatens not just personal PCs, but corporate businesses, hospitals, banks, and any other business that holds a wealth of precious personal information. How does it work? It’s pretty simple. A user will receive an email with a call to action that instructs the user to  download an attached file. This file may look like a word document, report, or picture from someone within the office. Once the disguised file is downloaded and opened, it launches the Crytpolocker. Now here’s the tricky thing: it doesn’t always happen right away. The malware can sit dormant on a user’s computer for days or weeks before springing into action. Once inside the network, it can travel from user to user until there are numerous PCs with a screen that looks something like this:


Now what? Your computer is locked and you’re being told to pay up or lose important personal information plus your being accused of doing terrible, terrible things, which is the reason your computer is locked.

Now What Do I Do?

First, never, ever pay the ransom. To be honest, there is no guarantee that you’ll get your files back. Secondly, take the infected machine offline to prevent the malware from spreading throughout your network. Now here’s where a little bit of teamwork and Scrutinizer come in. Work with your network team and the user whose PC is infected to estimate a time and date when the PC may have become compromised. Once a time and date is established, we can turn to Scrutinizer. By filtering on that time and date on the core devices on your network, we will be able to see larges spikes in bandwidth, unusual behavior such as reaching out to NXDomains, and TCP handshakes not being completed. From there, we can begin to drill into particular users. Once we can find the user that downloaded the attachment, we can see where the link may have come from, where it’s reaching out to, and even if there was communication to other users on the network. Partnered with the FlowPro Defender, we can even resolve FQDNs to make detection more real-time.

How Can This Help?

Now that you know what the traffic patterns for Cryptolocker look like, you can begin setting thresholds. As a result, if Scrutinizer begins to detect these patterns again you will be notified. Unfortunately, we cannot block Cryptolocker on your network, but we can certainly help find the origin point, users that the virus communicated with, FQDNs used, and help you take the steps necessary to prevent future infections.

What Else Can I Do?

Communicate with your team members and colleagues! Remind them to never click on emails that have attachments that seem strange no matter how innocent they seem. If your boss isn’t prone to sending you cute cat pictures, chances are he probably did not “this one time.” For more information on how you can prevent the spread of Crytpolocker, can read this blog posted by Symantec. If you want to educate your employees on what a malicious email may look like you can always check out our game Click Click Phish.