Lock, stock, and peril

Share This Page

In old movies, ransom notes came in the form of pasted letters cut from newspapers.  There’s a new kind of ransom that could pose a substantial risk to your business.  Have you alerted your staff about how to protect one of your company’s most valuable assets?

The new threat is called Cryptolocker, a form of malware that locks you out of your own computer system unless you transfer money to shadowy shakedown artists who could be located down the street – or around the globe.  Cryptolocker works by encrypting everything on your system’s hard drive or any shared folders:  business records, client files, financial data, the works.  Once the files are encrypted, victims get the ransom note, complete with an ominous countdown clock warning people when their files will be gone for good.  The criminals demand money through Bitcoin or some other anonymous payment method and say they’ll turn over the encryption key if you cough up the cash.  Some companies have paid, but there’s no guarantee the crooks will unlock your files.

How do they work their way into your company’s system?  Scammers send email that looks like everyday correspondence from legitimate companies (for example, tracking messages from shippers).  Thinking it’s routine, your colleague clicks the link and – to quote that college sportscaster – boom goes the dynamite.  Your files are in lock-down.

What can your company do to thwart Cryptolocker cons?

Back (up) to square one.  You’re probably tired of hearing it, but that won’t stop us from saying it:  Back up your files now – and often.  Have a conversation with your IT staff about how your company handles that.  Some automated systems and cloud-based services are synchronized backups. That means if someone edits a file, the backup is overwritten, too.  The bad news:  If a malicious program encrypts the original, the synchronized backup will be locked, too.  Work with your tech people to back up your files in a way that avoids that risk.  Many experts advise companies against using a method that’s always connected to your system.  For very small businesses and home offices, an external hard drive may be an option, but disconnect it when you aren’t actively backing up files.  If the backup device is connected to your computer when Cryptolocker strikes, the program may lock those files, too.

Reduce the risk of “drive-by” downloads.  Make sure your browser’s security setting is high enough to help fight off unauthorized downloads.  For example, many experts recommend at least the “medium” setting in Internet Explorer.

Double extensions can spell double trouble.  Downloading a file that ends with .exe can be particularly risky.  So hackers try to hide what they’re up to by throwing in an extra extension that may look harmless – for example, .pdf or .jpeg.  But a closer look reveals something like [name of file].pdf.exe.  If you don’t read it carefully, you may focus on the routine .pdf and miss the potentially diabolical .exe.  Here’s another tip.  Some companies have set up their systems to hide file extensions.  That may not be the safest choice.  Talk it over with your tech team, but a better option might be to educate your employees about the risks of .exe files and then make extensions visible on your company’s computers.  That way, rather than opening an iffy .exe file, your staff will know to alert IT to the potential threat.

Be stingy about issuing backstage passes to your network.  Consider limiting administrative privileges to staffers who reallyneed  them.  If malware compromises one of those VIP accounts, the damage can be even worse.

The best defense against Cryptolocker and similar threats is a box of donuts.  Or a bag of bagels or a pot of coffee you share at the staff meeting you convene to spread the word about the Cryptolocker risk.  Remind anyone with an office email account that instead of clicking a link in an unexpected message, it’s safer to type into your browser the known URL of the company the message claims to be from and then navigate to the information you need.

There’s no place like home.  Cryptolocker also strikes personal email addresses, so follow the same sensible steps at home.  Why risk tax records, school projects, or an irreplaceable gallery of family photos?


As long as data is on the docket, have you marked your calendar for the first in the FTC's Spring Privacy Series on Mobile Device Tracking, set for 10:00 ET on Wednesday, February 19, 2014?  If you can't make it to Washington, check the event page tomorrow morning for the webcast link.  But if you'll be in D.C., be sure to get there early.   Registration opens at 9:00 and shortly after that, FTC Chief Technologist Latanya Sweeney will give a mobile location tracking demonstration.  Check out her blog post, My phone at your service, to find out more.



I'm very interested in doing whatever I can to remove/prevent these Cyborhackers from entering my computer.
Duchess, have you visited OnGuardOnline? It's a great resource from the FTC and other partners about staying safer online.
I am not a cloud fan yet. I think we develope new technology without really considering the consequences of that technology and how to secure it. Working in an environment where we push new technology into the field without a test environment being implemented, I know first hand the risks involved and the propensity to lose data, clients and ultimately business. I am not against new technology, I would love to see some character from companies involving new technology, so we can make progress and be reliable. What is your financial gain if you lose it and your companies image along with it?
"The best defense against Cryptolocker and similar threats is a box of donuts." Except Prevention, what can we do if infected by it?
What if we all paid $1.00 into a reward fund that would issue rewards to the nabbers of these perpetrators and then the perps could be executed online for their misdeeds. That would be a good deterrent.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.