I was recently on site with a client who had suffered an attack from the CryptoLocker virus, a variant of the infamous family of viruses known as “Ransomware”. Ransomware viruses are usually spread by malicious email attachments or are hidden inside seemingly innocuous looking downloads like free games or “fun” utilities. Once you open the email attachment or start the hijacked application it will trigger the Ransomware code to execute, commencing the attack on your computer.
What happens next is absolutely horrible. First the Ransomware will delete all of your stored Windows backups / recovery images and will attempt to disable virus scanners and backup utilities. Next it moves through all of the folders on your computer and systematically encrypts your files with a strong encryption algorithm, effectively scrambling the data and making it impossible to read. Finally a ransom note is copied to numerous folders on the computer which states that the virus will only release the encryption key to unlock your files if a ransom of £### pounds is paid via the hacker’s website. To make things even worse the virus will also attack files stored on USB and external drives attached to the computer, so in the case of this client their backup drive (which was connected at the time) was also encrypted along with computer leaving no copies of the data to restore.
Whilst it is possible – easy infact – to remove the Ransomware virus following an infection, in most cases it is impossible to recover the encrypted files without the encryption key. This is because the encryption algorithm used to scramble the files is the same system used to secure your on-line banking and to protect your computer passwords so it is designed to be completely impregnable to attack unless the correct keys are given.
You can take your chances and pay the ransom in the hope that the hackers will provide your encryption key but you’re dealing with a criminal gang so there is absolutely no guarantee that they will return the key when you pay. In some cases it is possible to get the files back using specialist recovery tools but that is not the case for every variant of the virus and certainly in the case of this client that was not a possibility.
So what can be done?
Unfortunately once the attack has happened the answer is: “Not very much”. However there are lots of things you can do BEFORE you are infected to ensure that a Ransomware attack is just a minor inconvenience rather than a serious problem. These steps include:
Put a complete backup system in place, with all computers and servers backed up to a network location and with daily off-site backups of your important company data. With a proper backup system you should only ever risk losing a few hours work no matter how badly you are attacked
Educate your staff and make them aware of the dangers of malware. With these kind of viruses you are only ever at threat if someone clicks something that they shouldn’t. Remind your staff never to open an email attachment unless it’s from a trusted sender and the document is either expected or in keeping with the habits of the sender. Also ask them never to install software onto a computer unless it’s been checked by your IT support team first (if you are on a corporate domain then these settings can be restricted with Group Policy). Finally make sure that they store important data in a location which is protected and backed up like a company file server or in cloud storage like Google Drive or Dropbox – there is never a reason to store important company data on a PC or laptop.
Ensure that you have virus scanners installed on all PCs and make sure that they are kept up-to-date. Also ensure that you have the latest Windows Updates installed so you are protected by the latest security fixes.
If you are committed to using a USB drive to make backups then buy two drives and alternate them on different days (e.g. use drive one on Monday, drive two on Tuesday, drive one on Wednesday, etc.). In this way even if the drive become infected you can always roll back to the other one.
One thing you should note about all of the above points is that they are inexpensive solutions, mainly just requiring time or proper training. Also remember that storage has never been cheaper than it is now and a small investment today could prevent an absolute catastrophe further on down the line. This client did not have proper backups and now this week they are facing the reality that a large amount of their important company files are lost forever.
If you want any help with backups or security then contact us today