I have been recently spending a lot of time with a few clients that have been infected with Crypto locker or the many variants. Crypto Locker, sometimes called Crypto wall, infects computers from multiple different sources such as a hacked website, email attachments or other downloads. Once infected, the software may not run immediately but wait until it’s called upon (zero day attack). Once crypto locker begins it runs at full speed encrypting any and all files that it has access to. This includes network drives as well. The only way a file is safe is, if it is in use or locked, or if the username that the virus is running under (whomever was logged into the infected machine) does not have permission to modify the file. The virus encrypts files with an AES-256 bit encryption algorithm that is impossible (in theory) to break. Usually the virus will leave you with a ransom note stating how much you can pay and where to send payment to for a unlock code. There is no guarantee if you pay you will get your data back. The only 100% sure recovery method is to recover from backup or another backup means.
Some things you can do to protect yourself.
- Maintain a regular backup regimen. Do regular restores to test functionality
- Educate end users to not open email or attachments from unknown parties
- Install and keep up to date an Anti-Virus program. Not all AV platforms will catch crypto locker but its best to have something versus nothing.
- Early detection is key. The sooner you can find the source of the infection the faster you will be able to recover and less damage caused. Again educate your end users.
If you do get Crypto locker. First thing, contact PEI support ASAP. Then, find the infection. Easiest way to do this is to trace back file permissions. Find a list of files affected, and check file permissions. Get a list of users, then move to the next and compare users. Again the virus can only encrypt what it has access to. Check open files or sessions on file servers. Run Malwarebytes anti-virus on affected machines to attempt to clean the infection.
Danny McLean, PEI
