Cryptolocker - still!

This post is probably a month overdue, but better late than never.

So #Cryptolocker is back again, with the same M.O. as last year, but with a slight twist. You still get an email with very bad grammar about a non-delivered parcel. At this point, all your end-user security training should be paying off - bad grammar, spelling mistakes and a link for a parcel you are probably not expecting. But nevertheless, they click away. A site that looks like auspost.com.au, but is probably parceltracker-24.net or similar, invites you to enter a Captcha code and download a file. The twist is the file is delivered from a file sharing site (like disk.yandex.com or cubbyusercontent.com) over encrypted HTTPS, thus bypassing most gateway inspection. My advice: seriously think about selective HTTPS inspection and block 'Network Storage and Personal Backups" as a category with exceptions for the ones you commonly use, such as iCloud, Google Drive, Microsoft OneDrive and Dropbox. Creating exceptions and/or deploying decryption certificates is still less IT work than recovering from Ransomware.