CryptoLocker, or CryptoWall, is a potentially costly ransomware virus that can infect firms during the course of performing routine tasks. Once it is inadvertently downloaded, the virus spreads rapidly. A program scans the network share and encrypts all the files to which the infected user has the rights. The key to decrypt the hostage files is then offered to firms for a fee. Sometimes they pay and don’t get the key anyway.
You could contract it by mistakenly clicking a bad link embedded in a website or opening an infected attachment in a seemingly harmless email. Additionally, most web browsers, including Google Chrome, Mozilla Firefox, and Microsoft’s Internet Explorer, permit the automatic downloading of “temporary internet files” and cookies unless manually disabled; sometimes permission is granted for files to execute by default without prompting. Security vulnerabilities in the code of Oracle’s Java, Adobe’s Flash Player, and Microsoft’s Silverlight have also allowed malware to unknowingly run behind the scenes. Last year researchers found that it affected over 600,000 computers in just 6 months.
Kraft Kennedy to the Rescue
We recently helped a 150-user IP law firm recover from this debilitating virus and recommended some protective measures to mitigate further exposure to such attacks. The firm’s users scour the web for references to their clients’ products, often visiting unsecured sites and servers as a result.
In one instance, a user was researching a new matter and accidentally viewed a website that had been infected with a variant of CryptoWall. Initially only this individual’s profile was affected, but she went home for the day and it went unnoticed. As the evening progressed, others discovered that they could not open files or save changes in the document management system. The virus had spread from the server containing user profiles to the file server and had begun to rapidly encrypt active case data.
Once our assistance was requested, we identified the profile of the user who initiated the infection. For every file the virus encrypts, it generates a .txt file containing “instructions” on how to decrypt the same file. The Security tab of this file’s properties revealed the culprit account, and so we quickly disconnected her computer from the local network and wiped the machine. To identify the scope of the damage we performed searches across the network for files with the “.aaa” extension (this is how the files are tagged by the virus once encrypted) and the name of the decrypt instruction file; luckily the last file to be encrypted corresponded to the time we unplugged the user’s PC. Fortunately, since we had both cloud and local backups of the affected directories from just a few hours before the virus hit, we were able to restore with minimal loss of work. Lastly, we deleted the corrupted .aaa files and instruction files to leave no trace of the infection behind.
Recovery and Prevention Tips
Do not pay the ransom. As mentioned above, paying will not guarantee decryption. It is crucial to have complete and readily accessible backups of critical data to use to recover files once the virus has been located and stopped.
DNS and web-content filtering services can also help prevent users from visiting infected sites or downloading malware. A few of the latest web browsers, including Chrome version 45 and Microsoft’s Edge, do not support any Flash or Java applications.
All file shares should be carefully inspected to ensure that individuals have rights to shared data only as is strictly necessary. Restricting user permissions on file shares and other network resources, defining group policies, and enterprise security training are effective ways to mitigate associated risks. Leveraging a combination of these measures can protect your firm’s data and network integrity in the future, even as attack methods continue to evolve.