How Backup Computing Saved the Day for a Customer.

And some thoughts on how to prevent it. Backup computing is there to assist you in implementing these steps. With our suite of services, partners, and years of experince we can design and implement the plan you need.

 

(Parts of the following are taken and heavily modified from a presentation by:

Charles P. Jefferies "The Guide to CryptoLocker Prevention and Removal" )

 

An introduction to CryptoLocker: the basics (Note there are literally thousands of variations of software by many names that does basically the same thing this one particular strain does.)

CryptoLocker is a type of malicious software (known as malware or ransonware) that makes data on your computer (documents, pictures, music and so on) unreadable by encrypting it using RSA-2048 bit keys; it then demands payment to un-encrypt them. Once you pay (usually to the tune of several hundred dollars, paid usually in uintracable Bitcoins), you get a key that allows you to get your files back (maybe). The ranosmware even puts a deadline on how long you have to pay the ransom. CryptoLocker usually finds its way onto them via email attachments, many times in a word or excel document where macros are enabled.

Additionally many of the Cryptolockers now go after attached network shares as well, this includes USB drives many use to backup files to, Servers, Network storage, or even shares on other desktops. So not only is the root machine damaged but it spreads across the network causing even more damage.

 

A real Life Example

Last November (2016) a customer opened an email that he thought was from one of his banks. There was an attachment which he proceeded to open in Mircosoft Excel. He was prompted and asked if he wanted to enable macros for the document. Which he proceeded to say yes to. The file opened and didn't seem to have much info in it. So he closed the file finished a couple of emails and left for the night. Later the next day after running around he tried to open a couple of files to do some further work and couldn't get them to open. He also had a nice pop-up on the screen telling him he had a problem and if he wants his files back he would need to pay a ransom. He called Backup Computing asking for help.

I then spent the next 3 hours figuring out exactly what had happened and investigating the virus he got. Once I finally got the sequence of events from him it was immediately obvious what had happened. He was infected. Part of the reason it took me three hours was to also figure out what else was corrupted. The entire NAS of all his business files were corrupt. The entire computer and attached drives was corrupt. His Accounting database and most zipped backups were corrupted. Luckily the other main computer in the office did not have an open share so the files on it were not corrupted.

It took me about an hour to finally kill off the infection, I ended up using an off the shelf anti-virus (DO NOTE it only nailed about half the virus!), I had to deploy a couple of my low level infection killers to finally nail the last parts buried in the registry, Windows system folders, and a couple of other locations.

Next it ended up taking another 4 hours to get his data back. First I recovered the NAS after making a copy of all the files just in case we had to pay the ransom. That took about 15 minutes to copy all the files back from the cloud and recover the corrupted files. (Why it took so short a time was Backup Computing had deployed one of its NAS with integrated backups on-site.) Turns out that the staff had NOT been backing up the accounting database to the NAS. So we were in trouble. The customer, through mistakes, had not used the planned backup routines. We did a system restore to wipe out any remaining possible files corruption of the programs. And with some fancy footwork I was able to recover using the Backup Computing deployed NAS the accoutning data only losing about 2 weeks of data instead of the better part of 9 months worth.

Long story short, The customer was very happy he had used Backup Computing to protect his data!

 

Removing the CryptoLocker malware

What if it’s too late and you’ve already been infected? If your files have been encrypted you’re unfortunately out of luck. The files are encrypted in such a way that it’s all but impossible to decrypt them (unless you pay the ransom, in which case you may regain access to your files). Paying the ransom DOES NOT guarantee you will be able to decrypt. It usually does (roughly 40% of the time it works these days!) but not always. There usually isn't a way to know for sure until you pay.

Before you do anything else. Isolate the machine from the network immediately. Then remove the CryptoLocker malware. There are several ways to do this and you can do it yourself or better have someone like Backup Computing do it for you to make sure you get every part of the virus. Note this process is effective at removing the CryptoLocker malware itself, not the encryption of your files.

 

So how to protect yourself?

 

Prevention is key. Here are some tips to help prevent and make recovery easier and less expensive.

 

  1. Get and use a cloud or off-site backup solution. Backup continuously and at least several times a day. It's important to have it off site as noted above the malware will corrupt local data and attached devices. USB drives are great but they are vulnerable.
    Backup Computing devices meet and exceed these requirements!


     
  2. Use an image based backup solution like the one provided by Backup Computing. Image based backups allow a complete restoration to before the infection. With the ability to virtualize recovery while recovering so your business operations are not impacted.
    Always double-check the sender of any emails you receive and if you don’t know the sender, proceed with caution. And even if you know the sender be suspicious if the email is not what you would suspect. It's incredibly easy to spoof email information. Almost all scammers use spoofing to get you to open the link or attachment and execute the infection.
  3. Never click on email attachments unless you know exactly what the attachment is, and you are expecting an attachment from that person. this is one place using a file sharing service to send attachments is a better and safer way to proceed.
    Backup Computing can provide this as well and its free for the first year!
  4. Don’t click on links within emails unless you know where the link is going. HINT: mouse over the link WITHOUT clicking on it, look down in the lower left corner (Usually) and see where the link is actually taking you. Better yet don't click on the link but instead open your browser and go to site and access directly. Doing so will prevent most hijacked and spoofed links.
  5. Install a reputable anti-virus software that has on-demand scanning. Most of the well knows anti-virus software out there is effective in preventing about 35-40% of infections. Do NOT depend on them to stop malware. In fact the industry even says they are almost useless these days.
    Backup Computing uses and deploys a much better solution that is almost 100% effective without the system hogs most of the well known ones are.
  6. Schedule your anti-virus software to automatically run scans at least once per week. Helpful but if the virus has already gotten on and executed this is pretty useless except to slow you desktop/server way down for a an hour or two while it runs.
    With Backup Computings offering no need it runs continously checking everything and blocks most attacks before they even reach your computer.
  7. If you use cloud services such as Microsoft Cloud, 365, Google docs, etc..., consider investing in a cloud-to-cloud secure backup solution such as Backup Computing can provide.
  8. Make sure your File syncing software, such as Google Drive, Dropbox, and others has a way to provide for versioning as these may end up syncing the corrupted files! Not all services provide secure versioning and backup. Make sure they do or are backed up some other way.

 

Conclusion

The morale of the story is that while the CryptoLocker malware itself can be removed easily enough, the damage it does cannot be, prevention is crucial. Be wary of emails and attachments that are sent to you and have appropriate backup in place.

 

Backup Computing has solutions for all types of businesses and we would be more than willing to help you find a solution that works best for you.

Contact Us Today!

Backup Computing
Marysville, 98270

Phone: +1 425 268.8019

support@backupcomputing.net

Print Print | Sitemap
© 2018 Backup Computing webmaster@backupcomputing.net for errors