Averting a CryptoLocker crisis - 1-Fix

1-Fix Limited

The Blog

Averting a CryptoLocker crisis

Averting a CryptoLocker crisis

Last Friday we had a call from one of our larger clients who were having issues opening up some documents on their computer. “All my files seem to have changed to .encrypted extensions” exclaimed the staff member, and our technician Tom’s face dropped as he realised our worst nightmare – one of our clients has been hit by CryptoLocker.

If you’re not aware of CryptoLocker and how nasty it can be, we wrote a blog about it when it first appeared on the scene. Luckily our technicians are well versed in this nasty infection, and despite having never seen it infect any of our clients, we managed to take a number of steps to avert a serious crisis. The tale below explains what we did, what we found, and the key learnings from this infection. Hopefully this will help other IT professionals in managing a similar crisis, and business owners should pay attention to our end recommendations on how to avoid this kind of nightmare scenario!

Swift actions can save files!

Firstly, upon hearing the words ‘encrypted files’, Tom’s first action was to get the client to shut down their computers – all of them – and their server. Although this put the client out of action for a short period, it was a crucial first step as the CryptoLocker virus will work to encrypt any files it can find so shutting everything down made the recovery quicker by stopping the virus in it’s tracks.

Once we had the systems offline, we needed to identify which computer(s) had been infected with the virus. Due to the way CryptoLocker works, it was unlikely to be more than a single machine in the company that actually hosted the virus, and this machine would be accessing all the shared drives and trying to encrypt the files.

Tracking down the infected machine

We knew from experience that the likely way into the network was via e-mails, and 6 months ago when these threats first appeared we locked down all of our clients with Office 365 e-mail hosting to reject any executable e-mail attachments (including zip files with executable contents). With this in mind, we were pretty sure that the CryptoLocker infection must have been delivered via a web download.

Our next step was to investigate the Untangle server which we’d installed for our client at the beginning of the year. Untangle is a fantastic firewall, which includes anti-virus scanning and internet filtering. The first thing we did was to look at the virus/quarantine section to see if anything had been picked up – which it hadn’t been. We then looked at the scan events log, which showed any downloaded files (infected or clean) for the computers. We quickly saw a batch of strange downloading activity that had started around 30 minutes earlier, from one particular computer to an odd Russian web address. We inspected the file that was downloaded and discovered it was called something similar to track_141944.zip – a clear indication that this was in fact a virus (CryptoLocker is often delivered by spam e-mails claiming to have a tracking number for you, or an invoice).

Once we knew which system was infected, we brought all the other machines back online. At this point, we kept an eye on the server to ensure no more files were being encrypted.

The total down-time suffered by the client was around 45 minutes for all the machines except the infected machine which had to stay switched off. The infected machine was kept offline, and was then cleaned up without being re-connected to the company network.

Had we not have had the Untangle appliance in place, we’d have had to spend hours checking each computer to see which was harboring the infection – which would have been very costly in terms of lost productivity for the client.

Recovering files

The infection had encrypted around 4,000 documents on the server, and had removed any ability to view ‘volume shadow copies’ (previous file versions) so we had to restore all the infected files from the previous night’s back-up.

Had we not had a solid regular back-up, the files would likely have been lost forever.

Did the machines not have any protection? How did the threat get on the system in the first place?

This was the most worrying aspect for us. When we first heard of CryptoLocker we took a range of steps to reduce all of our client’s chances of being infected. This particular client had the following security features in place which were all beaten:

  • The e-mail spam filtering (Microsoft Forefront on Office 365) didn’t block the e-mail as spam
  • Untangle firewall appliance didn’t classify the web URL linked to in the e-mail as a malware site
  • Untangle firewall appliance scanned the downloaded file and passed it as a clean file
  • Local A/V on the machine (GFI Vipre) didn’t detect the file as a threat
  • HitmanPro Alert 2.6.5 didn’t pick up the CryptoLocker infection, and didn’t block the attack on the filesystem

Having seen the list above, you may be wondering why these multiple methods failed. Well, we downloaded the attachment that contained the CryptoLocker threat and uploaded it to VirusTotal which is a site that uses 55 anti-virus products to scan the file and produces a report on how many systems report the file as a virus. The file was only detected as a threat on 5 out of the 55 anti-virus systems – meaning that it was likely a brand new variant of the CryptoLocker threat. This also explains why the firewall didn’t detect the virus on entry, and the local anti-virus didn’t stop it either.

What your business needs to have in-place to recover quickly from these threats

Firstly, although it failed in this instance, a good desktop anti-virus program is essential.

Secondly, you need a decent firewall. We love Untangle as it’s reporting is so powerful and simple to use. This literally saved our clients from thousands of pounds of lost revenue by allowing us to pinpoint which computer was infected quickly. If you don’t have a firewall that produces solid logs, finding the infected computer can be like finding a needle in a haystack.

Thirdly, you must have a decent back-up. This is so important that we can’t stress it enough! The back-up should be using a system that doesn’t just store a copy of your files on an external drive in the same format as they are on the PC/server. Otherwise, if the machine that has the back-up drive connected gets CryptoLocker, the back-up files will also be encrypted. The built in Windows Server Backup is fine, and was what we used on this occasion.

Finally, you must educate (and re-educate) your staff as to what e-mails shouldn’t be trusted. This particular e-mail that spread the CryptoLocker infection was supposedly a message from Royal Mail explaining that a parcel had been mis-delivered and that they should click the link to download the tracking note. Closer inspection of the e-mail would have revealed mis-spellings, ‘odd’ language and the strange web-link that didn’t appear to look legitimate. Unfortunately, this particular end-user missed the signs and clicked the link… and the rest is history!

Need some help getting secured?

We’re offering free 1 month trials of the Untangle firewall system. Get in contact with us, and we can arrange for a time to come and install this at your office and show you the benefits of filtering, internet control and solid reporting. We also offer CryptoLocker proof cloud back-up solutions for businesses who prefer to have an automatic back-up in place.

Replies

Jerry Scroggin replied on 27/05/2015 |

Great read on crypto and how to recover. I have a question. Do you have a policy in place for your customers to somehow have a backup off site just in case a critter crashes your backups and you need to recover?
thx and again great read.
Jerry

Craig replied on 27/05/2015 |

Thanks Jerry.
Pretty much all of our managed service clients have our cloud back-up, which is managed in such a way that it’s ‘Crypto-proof’. However, we don’t put a policy in place specifically mandating a cloud back-up as well as local, we just strongly suggest it.
Craig

Leave a Reply

Your email address will not be published. Required fields are marked *