CrypoLocker - It couldn't possibly happen to you......
You stroll into work one morning without a care in the world, you fire up your computer, get yourself a coffee and then settle down to work. You decide the first task of the day is to finish the report you started yesterday and go to open the file you saved last night. You find that the file won’t open, it’s still there but it just refuses to open. You then try other files you were working on yesterday but they won’t open either. You try different files in different places and still no joy. You are starting to get a little desperate now and try a different company drive but still nothing will open.
That icy fear starts to grow and you start to think you have lost all your data, when you suddenly remember your back-ups. You and your IT people try and restore the files but the back-ups seem to have been got at as well. You can’t even get into your documents on Dropbox, as they seem to have gone the same way. This is beginning to get very scary.
A screen then pops up on your computer telling you that you have 3 days to pay $300 by MoneyPak vouchers or Bitcoins otherwise your files will be lost for good.
Welcome to CryptoLocker, a virus that restricts access to the computer that it infects and demands a ransom to be paid for the files to be restored. It is the latest in what is known as ‘ransomware’.
So do you pay up, given that the encryption used on your files is almost unbreakable? What is the impact on your organisation if you are unable to access all your files and they are effectively lost for good?
This is not an apocryphal story or urban myth. It actually happened to a colleague’s company last week.
One of the members of staff read an innocent looking email, which contained a zip file that contained the ransomware. It infected her machine. The software then went on to encrypt all files on her computer including the Dropbox files she shared with me. It then went on to the network drives she had access to and encrypted all of those and then asked for the ransom. Luckily the company was able to restore the files from back-up. The only near miss was that the backups were on another company drive. If the person with the infected computer had access to the back-up drive then all the back-ups would have been encrypted. This would have meant that the company would have lost most of their data or have been forced to pay the ransom.
And the lessons from this…
1. Although the company had virus protection they are not convinced of how good it was and how often updates were being downloaded. You need to ensure that your virus software is up to date. Do you really want to trust your key company data to free anti-virus software? You get what you pay for and it may be worth paying for.
2. Although you want the best and most effective anti-virus software, the criminals who are carrying out these attacks are constantly mutating and developing their viruses. No matter how good your software there is no guarantee it will pick up on everything so make sure you train your staff on recognizing suspicious emails.
3. If you have a major IT issue, where you need specialist help to resolve it, do you know where to find help? With the clock ticking, you don’t want to be scrabbling about trying to find a company who will come to your aid. Identify a suitable company early, build a relationship with them, spend some money with them and then when you call in times of emergency they will give you immediate assistance.
4. Do not underestimate how time-consuming it is to sort out one of these issues. Computers have to be disinfected, calls have to be made, back-up restored and lost files have to be recreated. This can take days to sort out, all of which are non-productive days. Prevention is better the time taken in implement the cure.
5. There is an added dimension if you share files with a partner then you may have to tell them about the ‘infection’, which can be embarrassing. As more and more collaborative working is taking place then more organisations are sharing files using tools such as Dropbox or Google documents. I shared a Dropbox folder with this company and so all the shared files on my laptop were encrypted. This suddenly gave me the fear that the virus had encrypted all my company files. Luckily they hadn’t. Although it was a quite simple job to identify the locked files and roll back the Dropbox to the pre-encrypted versions, this still took me 2-3 hours. More important is that if you have to tell a key customer that you have infected their files this can be greatly embarrassing and it could affect your relationship with them or give them an excuse to stop working with you. It makes you look unprofessional.
6. Lastly, there is the importance of back-ups. If your files are backed-up then recovery from the virus is simple. You have to think through how you carry out your back-ups. The virus will try and encrypt windows shadow volume copies so you can’t just roll your computer back to before the infection took place. If you back up to a drive which is connected to the laptop or desktop that is infected, then the back-up will also be infected and be of no use. If you back-up off-site every week you could lose a week’s worth of data!
If all else fails you can pay the money, as long as you can work out how to pay in Bitcoins or MoneyPak vouchers, but there is no guarantee that this will work. The link between your computer and the extortionist’s computer can be lost, so how do you find the people to pay the money? They have been known to have their own IT problems and may have lost your key.
For all those who work in large corporations, you may be feeling quite smug. Maybe your company doesn’t get spam and has armies of IT people protecting the organisation. Just think, at this moment, your partner or children could be on your home computer about to open a spam email. Do you have all your home files and photographs suitably backed up?