8 April 2014
One of our customers managed to fall victim to the Cryptolocker malware over the weekend. This extremely nasty piece of malware has only one intent: to extort money from you. It does this by silently encrypting all the data files on your PC - e.g. photos, word document, excel files etc, - and network shares, i.e. it also attempts to corrupt files on other systems in your network too! Once it has done this it then displays a message on your screen with an 72 hour count-down timer, demanding 2 'bitcoins', (~$500) to unencrypt your files. If the ransom is not paid during the countdown period the price is hiked up by 10 times, and beyond that your files are unrecoverable. Sources on the Internet suggest that the chances of having your files recovered following payment of the ransom can be very low.
Cryptolocker spreads by email using social engineering techniques. If you are unlucky enough to be infected there is only ONE sure way that you will be able to recover your data and that is from your backup. Unless you have a recent backup you will be facing unrecoverable data loss. It is therefore vitally important to make sure that you have a backup solution in place, you are using it regularly and it is working. Ask yourself: if I woke up this morning and found all my files were unreadable would I be able to easily recover them? Unless you know 100% that the answer to this question is Yes, you need to do something now! If you need help we're here; please call.
Backup, backup, backup!
We've never been a great proponent of cloud based solutions as a primary source of backup. Our fears have been proved true: the affected customer had a cloud based backup solution in place provided by their previous ICT support company. Recovering their data is proving to be difficult, slow, time consuming and therefore expensive. The backup is aslo incompleted. Had they have been doing regular backups with a system similar to our DriveSnapshot / Icybox solution they would have been up and running again within an hour or so! One advantage of cloud based solutions is that they happen automatically whereas local solutions rely on you changing disks or even starting the backup. Be vigilant. Do it! You can never overdo backing up.
As mentioned above having an effective backup system is paramount but how do you stop yourself getting infected in the first place?
- Don't rely on your Antivirus product to protect you! Cryptolocker threats mutate so frequently that the updates from AV vendors are always someway behind them.
- Don't open any email attachments unless you know (i) who sent it AND (ii) you are expecting it. If in any at all doubt don't open it.
Infected email example
Recent malware attacks arrive in emails with zip attachment. I usually just delete these but this morning I thought I would analyse one to establish how serious the threat is. The result, although predictable, was extremely worrying. The email arrived at 10:24.
From: email@example.com (a fictitious email address on our domain)
To: firstname.lastname@example.org (another fictitious email address, it arrived because the 'envelope' address was set to enquires@, an address which forwards to me)
Subject: New Voicemail
Attachment: VoicemailMessage.zip (6KB)
VoicemailMessage.zip contained a file called Voicemail2875.scr extension and has an icon which makes it appear as a .wav i.e. audio file. On most Windows system the .scr file extension will be hidden by default and so there is no clue that the innocent looking wave file is in fact a Windows executable file. Voicemail12875.scr also had a modified date approximately two hours ahead of the current date/time implying that it had been freshly created this morning, probably in an eastern bloc country.
Double clicking on the file (I didn't try this!) will appear to do nothing but silently and invisibly Cryptolocker will install itself on your system. Your fate is sealed :(
Instead I ran a BitDefender AV scan on the file: no threats were found! I also submitted the file to 'Virus Total' (www.virustotal.com), an online site which will analyse a suspect file and run a virus check with the majority of AV vendors.
The detection rate was just 6%.
I submitted the file again at 14:15 this time the detection rate was a little higher at 12%. Periodically throuout the day I resubmitted the file; by my last submission at 17:45 the majority of AV vendors (Bitdefender included) were identifying the malware.
The message is clear: You cannot rely on your antivirus product for complete protection!
If you heed our advice you should not fall victim to this crime. It's a wicked world out there; be vigilant.