The definition of a Cryptovirus is:
“cryptovirus (plural cryptoviruses)
Malware that specializes in extortion by encrypting user files and asking for payment in exchange for the decryption key.”
Cryptoviruses / Ransomeware attacks are nasty! They are also the latest trend in cyber attacks against not only businesses but regular folks all over the world. Encrypting the data makes it unusable and unrecoverable. We have seen first hand the damage these attacks can do – and simply put, it can be a doomsday scenario for even the most prepared businesses. Imagine losing thousands of financial records, your emails, or even pictures of your family, cryptovirus / Ransomeware authors do not care of the inconvenience it causes you – they only care about collecting money from their victims. We often see desperate businesses try to pay off the ransom on their files, just to discover that the author / operator of the virus will not actually decrypt your files – leaving you not only without your data, but out $500-$5000 in ransom paid. In this blog post, we are going to cover everything you need to know to help bolster your defense against these attacks and also make recovery possible.
The Best Cryptovirus / Ransomeware Defense is Good Backup Policy
IT admins have always proclaimed this commandment:
“You have one, you have none.”
What this means to the less technical minded person is simple – you cannot say you have a backup if you only have one – you should have at minimum two different types backups running everyday.
Two different types of backup?
Yes! You should have a local backup (External Hard Drive) and a cloud based backup.
But why two types of backup? – “That’s expensive!”
Cryptoviruses are insidious, they infect a computer and encrypt the data not only on the C:\ drive, but also to any mapped network drives and attached storage like USB thumb drives and External Hard Drives. Having a backup stored in the cloud helps mitigate complete loss, but it’s important to have your local backups (backups that happen in the location the computer is stored) to be rotated daily. Windows Backup and Windows Server Backup have options for making a rotating disk backup, your organization should take full advantage of this! Even having a cloud backup can render less than favorable results when trying to recover from an attack. Our experience has been that when trying to do a full recovery from a cloud backup – it can take many days for the files to be downloaded and restored, adding even more insult to injury when these attacks happen at the most inopportune times, especially during firm deadlines.
Test and Simulate Disaster to Avoid Disaster
We find that part of a proper business continuity plan is to test it, ensure that it behaves as engineered with the littlest amount of downtime and friction. You should never roll the dice with your backups, you should simulate a test recovery of your backup once a month, if you do not do this – you are not verifying what files will restore properly, what issues arise from trying to restore your backups.
How Will I know I have been Infected by a Cryptovirus?
One excellent quality that Cryptoviruses have is they let you know when you’ve been hit by them. You’ll typically you will see a notepad document pop on your screen saying your files have been encrypted or locked – and that you need to pay someone in Bitcoin to get them back.
Additionally, you may see text documents appearing in your folders saying things like:
- “How to recover files”
- “You’ve been hacked”
- “Where are my files?”
What do I do When Disaster Strikes?
No Server, Just one PC
First, immediately stop what you are doing with your computer. Unplug it completely and seek immediate technical assistance! The infected computer should be reimaged immediately (the hard drive completely wiped, and Windows reinstalled from scratch). After the computer has been reimaged and reinstalled at your location, you can start recovering your files.
Server or more than one PC
Same as the steps listed with no server – but you will want to start your recovery on your file server immediately – so you likely won’t have to reimage your Server as it’s unlikely that the cryptovirus infected the server but encrypted the data, unless the server is used as a workstation or terminal server by the other users on the network. Again, it is better to reach out to a Technology Service Partner and recieve assistance recovering in these situations, as sometimes even the best laid out plans for backup and recovery do not go as planned and might take longer to recover from trying to do it yourself, or potentially make things worse.
“I can’t stop working now, I have deadlines, can the recovery wait?”
In some cases it might be possible to continue working. However, continuing to work while an active infection is on the network could catestrophically impede your ability to recover or cause even more harm. It’s best for all parties involved that at the first sign of a cryptovirus attack that business operations are suspended until a technical resource can give the “all clear” for people to resume working. Simply put – failure to follow the directive of unplugging the affected machines and suspending operations might render recovery impossible. Time is a serious factor in these attacks and should take serious consideration of the impact of what could happen.
“I have X, Y, or Z Antivirus Solution, Why Should I even care?”
No Antivirus solution is perfect. We have seen every major antivirus product in production during these attacks and none of them mitigated or even noticed what was going on. Your antivirus product while having good intentions is rarely effective at stopping these attacks, we have never documented one single AV client that has actually stopped any of these attacks. DO NOT IMPLICITLY TRUST THAT YOUR ANTIVIRUS PRODUCT WILL PROTECT YOU!
How Do I Prevent Cryptovirus Attacks?
These guidelines should help harden your environment against attacks, but as time and technology progresses, these infections get better at what they do and can defeat even these directives:
- Do not pirate software – pay for your software through trustworthy vendors
- Do not attempt watching copyrighted movies or TV shows online through non-genuine /sanctioned streaming services
- Do not use an administrator account as your user account on your PC, this can allow escalation of privileges that allow these infections to run on your computer and deliver their payload
- Do not use your Server as a Workstation! If you have a Server, use it like a Server! Workstations should be used for people to do their work, Servers should not be manned by any employees and should exist to provide resources to other workstations on your business network
- Keep current on Windows Updates and other software updates – updates patch vulnerabilities in which a lot of these viruses exploit to deliver their payload
- Avoid plugging in randomly found USB drives into your computer – they often have this sort of virus on them when found in the wild
- Use only currently supported versions of Windows – Sorry XP users, but that ship sailed, time to move on!
That should cover it – with this knoweldge you should be able to better defend yourself against these attacks and have better policies for recovery. As always, if you have any questions or need help do not hesitate to call us: 802-870-3232