In the small town of Greenland, New Hampshire (population 3,653, based on the 2012 US Census estimates), on the day after Christmas 2013, a town employee opened an email indicating that they had received a voice message from AT&T … and infected the computers at the Town Hall with malicious software known as CryptoLocker.

If you’re already familiar with CryptoLocker, you can skip these additional points of explanation:

  • CryptoLocker is a relatively new example of one of the fastest growing areas of cybercrime, referred to as ransomware – malware that takes a computer or its data hostage, so attackers can extort payment from their victims.
  • To date, CryptoLocker has been spread through fake emails such as the one received in Greenland; tracking notices from UPS and FedEx were especially popular during this recent holiday shopping season (I happen to have received several of those).
  • CryptoLocker is designed to find – and encrypt – your files, not only on your hard drive but also on any accessible external hard drives, USB drives, network drives, file shares, or cloud storage.
  • CryptoLocker uses very strong (RSA 2048) encryption to generate a public-private key pair for each infected system: the public key (which is used to encrypt your data), and a corresponding private key (which can be used to decrypt your data).
  • Victims of CryptoLocker see a pop-up screen that delivers the bad news: your data has been encrypted; to gain access to the single copy of the private key that will enable you to decrypt them, you have 100 hours to pay US$300 in an anonymous currency (e.g., BitCoin); non-payment or any attempt to remove CryptoLocker will automatically destroy the sole copy of the private key.

And now back to our discussion of what happened in Greenland, New Hampshire.

Unfortunately, the Town Administrator did not learn of the infection until December 30 … after the 100 hours had already expired. And just like that, the Town Administrator of Greenland, New Hampshire lost eight years of work.

No opportunity to weigh the cost of $300 of taxpayer money versus the cost of eight years of taxpayer-funded salary and benefits … no opportunity to ponder the policy of negotiating with terrorists … just gone. One will be left, one will be taken.

It really pains me to acknowledge it, but how very clever of the criminals to leverage the same encryption technologies that companies are using to protect their information, in combination with an encryption-based, government-free currency that provides a cloak of anonymity, to extract monetary value at arm’s length from their victims – a brilliant sort of encryption jiu-jitsu.

Sources such as McAfee Labs predict that we will see significant growth in these types of exploits in 2014.

I still remain optimistic that technology such as DMARC will increasingly help to thwart the most common delivery mechanisms for malware such as CryptoLocker – e.g., see my blog Don’t Click on That Cat! (24 October 2013).

In the meantime, if ever there were a time to remind ourselves of some basic best practices, this would be it:

  • Back up your data
  • Keep your systems patched and up to date
  • Deploy basic endpoint protection (anti-virus), email security, and web security
  • Make end-users aware – repeatedly – of safe email and web browsing practices

For more research and insights on the topic, visit Aberdeen’s IT Security page.