I was recently on site with a client who had suffered an attack from the CryptoLocker virus, a variant of the infamous family of viruses known as “Ransomware”. Ransomware viruses are usually spread by malicious email attachments or are hidden inside seemingly innocuous looking downloads like free games or “fun” utilities. Once you open the email attachment or start the hijacked application it will trigger the Ransomware code to execute, commencing the attack on your computer.
What happens next is absolutely horrible. First the Ransomware will delete all of your stored Windows backups / recovery images and will attempt to disable virus scanners and backup utilities. Next it moves through all of the folders on your computer and systematically encrypts your files with a strong encryption algorithm, effectively scrambling the data and making it impossible to read. Finally a ransom note is copied to numerous folders on the computer which states that the virus will only release the encryption key to unlock your files if a ransom of £### pounds is paid via the hacker’s website. To make things even worse the virus will also attack files stored on USB and external drives attached to the computer, so in the case of this client their backup drive (which was connected at the time) was also encrypted along with computer leaving no copies of the data to restore.
Whilst it is possible – easy infact – to remove the Ransomware virus following an infection, in most cases it is impossible to recover the encrypted files without the encryption key. This is because the encryption algorithm used to scramble the files is the same system used to secure your on-line banking and to protect your computer passwords so it is designed to be completely impregnable to attack unless the correct keys are given.
You can take your chances and pay the ransom in the hope that the hackers will provide your encryption key but you’re dealing with a criminal gang so there is absolutely no guarantee that they will return the key when you pay. In some cases it is possible to get the files back using specialist recovery tools but that is not the case for every variant of the virus and certainly in the case of this client that was not a possibility.
So what can be done?
Unfortunately once the attack has happened the answer is: “Not very much”. However there are lots of things you can do BEFORE you are infected to ensure that a Ransomware attack is just a minor inconvenience rather than a serious problem. These steps include:
One thing you should note about all of the above points is that they are inexpensive solutions, mainly just requiring time or proper training. Also remember that storage has never been cheaper than it is now and a small investment today could prevent an absolute catastrophe further on down the line. This client did not have proper backups and now this week they are facing the reality that a large amount of their important company files are lost forever.
If you want any help with backups or security then contact us today