A Cryptolocker Ransomware Survival Story

If you’ve been following the news recently, you’ve probably heard of the latest and nastiest instance of cybercrime out there today:  Cryptolocker. Thousands of individuals and businesses worldwide have been hit with this scam, leading security experts to label it as the new reality in cybercrime.

Cryptolocker is a class of malware known as ransomware, which infects a computer by restricting access to that computer’s files. Once a computer is infected, the luckless user receives a message demanding payment before files can be unlocked again. Payment is typically demanded in digital currency, such as BitCoins, which is worldwide, untraceable, and can be converted back into cash at the receiving end.

As ransomware goes, Cryptolocker is particularly nasty. A user activates it by opening an email attachment that contains the virus, which then installs and spreads onto the computer, encrypting files as it goes. In the case of a network, an infected machine serves as the gateway to the entire network, encrypting all files the infected user has access to and rendering these files inaccessible.  In order to recover encrypted files the victim is asked to pay a ransom, typically within 72 hours of infection, or lose all data forever. In an astounding new twist to this story, the cybercriminals who created Cryptolocker have upped the ante by creating a “customer service” site designed to “help” those who are unable to make the initial ransom payment. Through this site, victims are given an extended deadline to come up with the ransom payment, but in this case the ransom is considerably higher than the initial demand.

cryptolocker ransomware

We Got Hit

It may surprise you to learn that Lieberman Technologies was recently hit by Cryptolocker. Even though we have multiple layers of protection in place, we still got hit. Regardless of the layers of security in place, these layers of security are no match sometimes for the human factor. Even an employee of a technology company can be fooled into believing that an email attachment is genuine. And that’s just what happened. An email made it through our multiple layers of protection. It was extremely well-written and convincing  (an excellent example of social engineering), and one of our employees was fooled into thinking that it was an important human resources announcement regarding changes in expense report procedures. Within minutes, the virus was encrypting thousands of important files on the employee’s workstation and a network file server.

Did we have to pay a ransom to unencrypt locked files?

No. We recovered quickly, had virtually no downtime, and did not have to pay the ransom to regain access to our files. We were able to recover with minimal impact because we were prepared for just such an event.

What Protection is in Place?

Lieberman Technology has layers of protection in place to filter out much of the nasty stuff before it ever enters our network. Our upfront layers of protection look like this:

  1. Hosted Antivirus/Anti-Spam (scans email before it gets to our network)
  2. Web filter (web browsing is scanned for malicious content and known compromised web sites are blocked)
  3. Spam and virus prevention running on our email server scanning email a second time
  4. Antivirus running on all PCs and servers providing real-time protection of files and folders

All of these layers are similar to an extensive alarm system and security guards. They are constantly on the lookout for any unwelcome intruder. They take aggressive action as soon as they see the intruder. But it isn’t enough. In addition, we have a backup system as well. Here’s what we do:

  1. Image-based backup system for all PCs and laptops.
  2. Image-based backup system for all servers performing incremental backups throughout the day.

Because of this backup system, we were able to pinpoint a time before the Cryptolocker infection and restore our systems from that point. No one in our office lost any information, no files were harmed, and most importantly, no ransom was paid. In fact, most employees were unaware that any of this happened until well after everything was over.

Keep in mind that antivirus companies will always be one step behind those that create malware. Recent changes to antivirus software have begun to filter out Cryptolocker, but there is always a new threat out there waiting to strike. Keeping your security layers updated will go a long way toward heading off infections before they happen, as will increased vigilance in the receipt of emails. In fact, it is more important than ever to not open any e-mail attachments that are not expected. Permanently delete the questionable e-mail. Additionally, proceed with caution in opening attachments received from known senders as well since a sender address is easily spoofed. And finally, employing a solid backup system will help your business to recover quickly should you find your system infected – saving you time, headaches, and money.

Have you had problems with malware?  How easy was it for you recover? Want to know more about IT security? Contact me, to discuss how to keep your network and data secure.

  • Dennis H Wilson

    Not meant as a dis to LT but it is amazing to me how many in the tech business think they are immune because of all the security layers in place.

    The humans are almost always the weak link. I still have users respond, “But I know him and he wouldn’t send me anything harmful or nasty!” I wish there were an easy way to get the word out…QUIT OPENING ATTACHMENTS…..EVEN FROM YOUR MOMMA, perhaps especially from your momma!

    With cloud space now available for free from so many providers and ways to “safely” share documents via the could there is NO compelling reason to send email attachments at all.

    • eppand

      Dennis, you are correct. You can never completely eliminate the human element. Even with layers of security in place, caution is the best approach.