In the past 24 hours, we have seen a drastic and potentially devastating virus being delivered via email. The Cryptolocker attack seems to be very widespread and so far, defending against it has been hit or miss unless a well planned security approach is in place.
What is Cryptolocker?
The Cryptolocker virus and its variants have been around for awhile. We discussed it in our blog last year. This virus today has been very successful at bypassing anti-spam filtering, AV enabled gateways, firewalls, and antivirus programs. A multi-layered security approach is highly successful at stopping the virus before it gets into a network, however, there is always a chance that every layer will fail. It is not possible to be 100% secure in any scenario.
In a worst case scenario, the only recourse is to pay the ransom as the FBI may have just suggested and hope the person on the other end is honest (really?) or recover from a backup. Making the issue more complicated, many backup procedures are vulnerable to the attack also.
What Happens
When an infected email is opened, a program executes that locks all data files on a PC and any network drive that the PC has access to. Documents, PDF’s, spreadsheets, photos and more are all encrypted with no possible repair option.
What To Do
In this case, there are three main points that we should focus on:
1. Review your security policy. A proper approach should include a mix of technology in a multi-layered approach that provides barriers before anything can infect the end user’s PC.
2. Inform your users. In this specific case, the virus is delivered via email from seemingly innocuous sources. A person submitting a resume, a fax receipt, or an invoice. The infected content may be a zip file, word document, among others or a link that leads to a webpage,
We have been surprised at the level of detail in the emails that we have seen as examples. These emails lacked the standard poor English that spam messages usually contain. They are clear, concise, and worst of all, blend into the regular email communication that anyone is used to seeing.
Our advise at this time is to not open any attachment or click a link that you are not expecting from someone. If you do receive something that you were not expecting, be cautious. If anything looks suspicious, call your helpdesk.
3. Audit Your Backup. If an infection does occur, recovering from a recent backup may be your only recourse. Be sure that your backups are working. At a minimum. ensure that a test recovery is regularly performed at the file level. Best case, a bare metal restore should be tested regularly. Also, ensure that your backed up data is not susceptible to also being damaged by a virus. It’s no use recovering damaged data.
There is no level of paranoia that is unacceptable in this case. While we do not want to fatigue users with warnings and prohibitive security policy, a simple click on an infected file could destroy every piece of data on a company network. While we prepare for such situations, we would rather never need to implement our disaster procedures.
Please inform your users to be aware of any emails that contain attachments or links. If it is not expected or coming from a known, reputable source DO NOT click on anything within the email.
As always, please contact us if you have any questions.