Last week one of our clients was struck by an encryption attack on their data. First we heard was when staff could not access server-based files across the network. What we discovered was a terrified staff member looking at the following screens wondering about their future in the firm.
Their up-to-date anti-virus software did not detect this attack!
The staff member responsible went through several steps as directed by the attacker to activate the code that ran the encryption process. CryptoLocker altered every DOC, XLS and PDF available on accessible shares, including the server drives they had access to.
Once done, the ransom note appeared!
The victim staff member either opened an attachment to an email or clicked on a button on a website that then activated the code. They will then have followed instructions on the screen to permit the code to run, then worked on wondering why the PC performance was so poor.
Fortunately, this client listens to advice and sets systems up as they should yet the attack still happened. They have a good firewall and up-to-date antivirus software from a reputable company.
The particular staff member had access via network drives to approximately 10,000 files, many of them significant to the operations of the business and concerning high value information. Fortunately, this attack is leaving the data in place and encrypting it, not stealing the data via the internet.
Once this attack has reached the point of generating the message shown the data is no longer available.
From that point on there are only two options. Pay the ransom and hope you get a decryption key that safely unlocks your files and then does not do any further damage to your systems, or your credit card. Or delete the encrypted files and find a tool that cleans up any remaining code from the attack.
In this client’s case, option one had way to many risks associated so we went with option two of delete and clean. Don’t panic, as I said, this is a client who has followed advice. So they had good quality backup and were able to get data from just prior to the attack restored to the original file locations.
The net impact of this attack was a disruption to business for a couple of hours and the loss of any file modifications for about half an hour back to the restore point.
The message here is clear. It is time to ensure you have the best possible front line of defence from the dark arts of the internet with a good firewall, a great anti-virus solution, good staff training on things to watch out for and, above all else, state of the art backup and data recovery systems that ensure you do not become a victim.
If you have been under-investing in your backup systems and are not sure how you would recover your data in the event of an encryption attack such as this, it is time you got some advice and set up a project to bring this up to date, or you may find yourself hoping you get your data back and your credit card is not debited $300 and seriously abused.
If you are currently thinking ‘Ha, $300 is way cheaper than putting a backup system in’, think about this: Of course there is no guarantee the encryption key exists. That may be the dirty joke in it. I for one never plan to find that one out. Do you?
David Markus is the founder of Combo – the IT services company that is known for solving business problems with IT. How can we help?