Detailed Report on Crypto Locker: Infection, Defense, and Mitigation

Verified

Added on 2023/06/12

AI Summary

This report investigates the Crypto Locker ransomware, detailing how it infects machines on a network by encrypting personal files and spreading through shared drives. It explores defense strategies such as software restriction policies (SRPs) and the use of tools like Applocker to prevent execution in vulnerable user space areas. The report also outlines mitigation steps for security analysts, including consulting experts, informing users about password changes, and utilizing tools like McAfee and Symantec for removal. Post-incident actions emphasize user training on avoiding untrusted websites and email attachments, as well as scanning files from external storage devices, with the goal of increasing awareness and preventing future infections. Desklib provides this document as well as past papers and solved assignments for students.

Running Head: TO INVESTIGATE CRYPTO LOCKER
To investigate crypto locker
Name of the Student:
Name of the University:
Author Note:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1TO INVESTIGATE CRYPTO LOCKER
Question 1: How a machine is affected by crypto locker on a network?
Crypto locker is a type of malicious program known as a ransomware. The basic
definition of ransomware states that it is software which is specifically designed block access
to some files (Scaife et al., 2016). Users need to pay certain amount to ensure access to those
infected files. Most of the ransomwares just freezes a system and demands a fee but crypto
locker is a different kind of ransomware which infects personal files. Computer or any
software in that system keeps on functioning normally however personal files such as images,
spreadsheets and documents are encrypted. Crypto locker has a unique ability to search and
encrypt files that are located within USB drives, cloud storage drives, external hard drives,
and network file shares and shared network drives ("CryptoLocker Ransomware Infections",
2018). Mapped network drives could become infected if a single computer on an entire
network becomes infected. After infection, Crypto locker swiftly connects to command and
control server of the attackers. After establishing connection to that server it deposits
asymmetric private encryption key. This key is out of reach of victim’s. Asymmetric
encryption is used to encrypt victim’s files (Tripathi & Agrawal, 2014). Two different types
of keys are used. These keys are used for decrypting and encrypting messages. This is a more
secure form of encryption since only one party has the private key.
Question 2: How to defend network resources from Crypto locker infection?
There is plethora of ways to defend corporate network resources from infection. A
strong anti malware program can defend against such attacks. However, there are two best
approaches that can be taken to defend system resources. One of the approaches is using
software restriction policy. By the use of group policy, SRPs (Software restriction policies)
allows a user or admin to prevent or control the execution of certain programs (Hassell,
2018). Crypto locker can launch itself in some specific user space areas and by using SRPs to

2TO INVESTIGATE CRYPTO LOCKER
block executable files in that user space area can help to prevent the launch of Crypto locker
in the first place. Group policy is the best way to prevent this however for a small business
local security policy can be implemented which more or less performs the same function.
Software that can be used is Applocker. It works only on Windows 7 editions,
Windows 8 editions and Windows 10 editions. It will not work on systems running Windows
XP or Vista. Applocker has a SRP feature (Beuhring & Salous, 2014). For a large
organization running enterprise version versions of Windows, it is really helpful. It is helpful
because by running the software programs can be prevented from running except some
softwares that have signed certificates. Additionally, there are certain steps that a user can
take. Users can backup important files and can keep the backup files stored in some external
drives. Antivirus software must be kept up to date. Software and operating system must be
kept up to date with latest patches. Users must be aware that there is a possible risk in
opening unsolicited links forwarded in email. Additionally, they must use extreme caution in
opening email attachments. Lastly, a user can follow safe browsing practice. If users are
finding the last point mentioned to be difficult, they can install premium antivirus software
that offers browser extension which can track web pages and ensure safe browsing is being
followed.
Question 3: How to mitigate the effect of Crypto locker and what should be the post
incident action?
A security analyst can take various steps to mitigate the effects of Crypto locker. The
first step that a security analyst can take is that he/she can consult a security expert who can
help in removing the ransomware from the system. After this, the analyst should take a
briefing session to inform users that they should change network and online passwords. They
must also change system passwords once the ransomware is completely removed from the

3TO INVESTIGATE CRYPTO LOCKER
system. If the files on a specific computer have not yet been encrypted by the ransomware,
then users can take help of some of the tools for effective removal of crypto locker. Tools
such as McAfee, Heimdal, Microsoft scanner, Sophos, Symantec, Trend Micro and Fire eye
can help. The third thing that the analyst can do is to make a plan to set up a training session.
Training sessions can help in increasing user awareness. Once it is increased prevention
would be very easy. The training session should include the following points. The first point
should be about informing employees that they should not visit un-trusted websites (Brewer,
2016). Websites such as gambling, freeware downloads and porn websites must be avoided.
Employees should use chrome or Firefox browser which are less vulnerable to attacks
("Ransomware - Practical View, Mitigation & Prevention Tips", 2018). Employees must be
told specifically that they should not open email attachments that originates from unknown
sources. The last point that should be included in the training session is that employees need
to be told that they should scan files in mobile storage units before transferring the files to the
system (Weckstén et al., 2016). All the points mentioned above count as post incident action.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4TO INVESTIGATE CRYPTO LOCKER
References:
Beuhring, A., & Salous, K. (2014). Beyond blacklisting: Cyberdefense in the era of advanced
persistent threats. IEEE Security & Privacy, 12(5), 90-93.
Brewer, R. (2016). Ransomware attacks: detection, prevention and cure. Network
Security, 2016(9), 5-9.
CryptoLocker Ransomware Infections. (2018). Us-cert.gov. Retrieved 19 April 2018, from
https://www.us-cert.gov/ncas/alerts/TA13-309A
Hassell, J. (2018). Cryptolocker: How to avoid getting infected and what to do if you
are. Computerworld. Retrieved 19 April 2018, from
https://www.computerworld.com/article/2485214/microsoft-windows/cryptolocker-
how-to-avoid-getting-infected-and-what-to-do-if-you-are.html
Ransomware - Practical View, Mitigation & Prevention Tips. (2018). Cisoplatform.com.
Retrieved 19 April 2018, from
http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-
prevention-tips
Scaife, N., Carter, H., Traynor, P., & Butler, K. R. (2016, June). Cryptolock (and drop it):
stopping ransomware attacks on user data. In Distributed Computing Systems
(ICDCS), 2016 IEEE 36th International Conference on (pp. 303-312). IEEE.
Tripathi, R., & Agrawal, S. (2014). Comparative study of symmetric and asymmetric
cryptography techniques. International Journal of Advance Foundation and Research
in Computer (IJAFRC), 1(6), 68-76.

5TO INVESTIGATE CRYPTO LOCKER
Weckstén, M., Frick, J., Sjöström, A., & Järpe, E. (2016, October). A novel method for
recovery from Crypto Ransomware infections. In Computer and Communications
(ICCC), 2016 2nd IEEE International Conference on (pp. 1354-1358). IEEE.