Stopping Destructive Ransomware With An Aardvark

By Paul Hirsch, Senior Network Engineer

For the past few years, cyber criminals have been using more and more “ransomware” to extract money from victims directly. In 2013, with the advent of CryptoLocker, things got much worse. Instead of rendering single machines useless, CryptoLocker and similar malware puts the infected machine to work locking up customer files and data or replacing files with infected impostors. These infections usually result in costly downtime and require going to backups to restore files. (You have good backups, right?)

A solid application aware Internet firewall, good antivirus/anti-malware software, a good spam filter, and a healthy dose of mistrust for links and files you are not expecting will usually stave off malware. But what if something sneaks through? That is where Citon’s latest creation, the CryptoLocker Aardvark, comes in.

CryptoLocker Aardvark runs on your company file servers and monitors dummy Word, Excel, PDF, and other files collectively known as “The Aardvarks In The Coalmine”. (“Aardvark” since most malware still scans alphabeticaly, so it will hit a dummy file named “aardvark.doc” before moving on to real data.) If any aspect of the “Aardvarks In The Coalmine” change, (file size, change time, content, etc), the CrytpLocker Aardvark service immediately shuts down all file sharing on the server and sends email alerts to administrators notifying them of the untimely demise of a virtual aardvark.

By shutting down file sharing quickly, damage to files is kept to a minimum. The email alert ensures that administrators can take quick action to get infected machines off the network then safely re-enable file sharing on your servers. Instead of the usual hours or days to detect, the problem is contained on the network in 30 seconds or less and resolved efficiently with minimal impact to users or loss of data.

Would you like to add Citon CryptoLocker Aardvark to your network’s autoimmune system? Contact Citon to find out how!