By Wesley Taylor
CryptoLocker is one of the most prevalent viruses doing the rounds at the moment. It is usually distributed via email, which is designed to give the appearance of being from a familiar, legitimate business, such as AGL or Australia Post.
Typically, when purporting to be from Australia Post, the message will read something along the lines of ‘You have a parcel we couldn’t deliver. Open this attachment to find out more.’ Of course, when the recipient clicks on the link, the virus is activated.
As it runs, the virus searches for file servers and file shares on the network. It then finds all the shared files and encrypts them. It also writes a file to the server that demands payment in return for unencrypting the files so they can be used again. This is commonly known as ransomware.
Ransomware is not new but it keeps evolving. When a business is hit, it can be a huge amount of work to get the files back. Some businesses may elect to pay the ransom, but there is no guarantee that those responsible will unencrypt the files if you do pay. It may also encourage them to do it again to extort more money from you.
Usually the files can be restored from a backup, but it’s a time consuming and costly exercise.
IT departments and managed service providers need to educate end users and push the message not to click on any attachments that they aren’t expecting. The issue we face now is that the emails are very sophisticated and look like a genuine email, so it’s easy to trick people into opening something they shouldn’t. If in doubt, it’s always best to make a quick call to the company in question just to check if they did indeed send the email before opening it.
It’s also important to be aware that these attachments are getting past virus checkers. The majority of clients will have emails scanned by SecureMail or a third-party product but, because the virus is constantly evolving and deployed from different countries and different IP addresses, it can slip through before anti-virus software can be updated.
The worst-case scenario is that a company loses all of its data, so the stakes are incredibly high. Employees are usually encouraged to save their work on the file server in the event that if they lose their device, they won’t also lose all of their work. Unfortunately, this also means that, in the event of a CryptoLocker attack, all those files are available to the virus. This can result in the entire company being unable to do any work until the files are recovered.
Another problem is the time it takes to recover all of the files. Having to copy files back from back-up servers could result in a whole day of downtime, and potentially more. Employees are left without access to the files they need to do business.
Time is money. Even a short amount of downtime can cost the business, so this is a situation that all companies should address with the utmost priority.
There is a variety of products on the market that protect against CryptoLocker attacks, including Mimecast’s email security solution. Mimecast Secure Email Gateway protects email data and employees from CryptoLocker by using sophisticated, multi-layered detection engines and intelligence. It provides improved security and system performance, up to date threat intelligence, and administrator visibility and control to stop known and advanced email threats before they reach an organisation’s network.
At Brennan IT, one of our engineers also came up with a solution, which catches CryptoLocker files that have managed to evade antivirus software and spam filters.
It mitigates the damage when the virus hits our clients’ servers. It is a two-part solution that doesn’t stop the virus from occurring but will make it easier for clients to recover.
Here is how it works:
- When a user activates the virus on their own computer, a script is run to disable the infected user’s account before a message is displayed on their computer, saying ‘You’ve been infected. Call Brennan IT.’ A priority 1 ticket is then generated so the Brennan IT help desk can contact the user straight away.
- The user is logged out at this stage because, if they were to log back into their computer, the virus could start running again. In order for the virus to work, it has to be running on the computer that has the attachment opened. If the infected user can’t log on, that can’t happen. This limits the spread of the virus.
- The whole process is automated. Through System Centre Configuration Manager (SCCM), an app, which is a part of Windows Server but is not enabled by default, is deployed on the server.
- When the CryptoLocker virus encrypts files on servers, it always has the same file extension, so Brennan IT maintains a list of all extensions it can rename the files to. Additionally, any time one of these files is written to the server, it generates an alert.
- Then, through System Centre Operation Manager (SCOM), the servers are continuously monitored for attack events.
This solution is unique to Brennan IT because of the way in which we have system centre servers managing client servers. SCOM and SCCM agents on these servers let us do this. The system is fully automated and integrated with other systems, such as the IT ticketing system.
This could be set up independently but it would be without the benefit of the proactive notifications that our system provides.
Currently, we offer this on an opt-in basis to our clients, in the event that a client may not want it installed.
If you would like to find out more about Brennan IT’s solution or how Brennan IT can help your organisation, you can visit http://www.brennanit.com.au or contact us on 1300 500 000.