One of my clients was recently struck by ransomware. In this case, it was a variant of Cryptolocker called "Le Chiffre" (after the major villain in the James Bond story, "Casino Royale"). Every single useful file (Microsoft Office files, image files, sound files, etcetera) was encrypted. A set of three files (a marker file, a text file containing the public key, and an HTML file with decryption ransom instructions) was inserted into every directory...on a server with 20,000+ files.
Ransomware is nasty stuff. It encrypts every file it can find (or an entire hard disk), and displays contact information where you can send money to decrypt your files. Generally, a long enough encryption key is utilized that it's impractical to try cracking the code.
The challenge with ransomware is that it "mutates" quickly. There's not just one version of Cryptolocker, there are dozens, perhaps hundreds. "Script kiddies" can download kits which enable create customized malware.
Frustratingly, since there are so many customized signatures, most antivirus programs aren't terribly effective at catching ransomware. One popular antivirus vendor's support tech bluntly told me that their software won't detect it, but that it could be set to detect and block the type of activity that an encryption virus perpetrates. I wasn't impressed; this was like telling me "Oh, well, yes, half your barn burned down, but we figured out there was a fire and soaked down the unburned half so it wouldn't catch on fire."
In my client's case, my security team never figured out exactly how Le Chiffre entered the network, but based on file time stamps, they managed to narrow it down to one of two workstations whose users either clicked on a link to an infected website or opened an infected downloaded file.
Unless you really want to throw money at cyber criminals who may or may not actually decrypt your files--and who knows if the decrypted files will be intact or contain some other piece of malware?--the only option to recover from a malware attack is to restore from backup...after making sure that you've eradicated all traces of the ransomware. (I'll talk more about that in Part 2 of this post.)
In my client's case, we happened to have not one, but two avenues for file restoration.
For primary file backup, we had installed a Barracuda Backup unit, which did a terrific job of backing up files as they were created or changed. The backed-up files were stored locally, then streamed up to the Barracuda Cloud for offsite safekeeping.
When we set up a Windows 2008 based file server for this particular client, I was already familiar with their end users' behaviors, which included multiple "oops!" file deletions each week.
This knowledge led to our creating a secondary safeguard, which was to enable Microsoft Volume Shadow Copy Service ("VSS") on the file server's data volume.
If you're not familiar with VSS, it allows a system administrator to set aside space to create periodic "snapshots" of a volume's file system. I set up VSS at our client to create snapshots at 0700 and 1700 each day, keeping several days' worth of snapshots on file.
When LeChiffre struck, after making sure we'd removed all traces of the virus from all systems, rather than running what would probably be at least an overnight restoration of files to the server, all we had to do was use VSS to go back in time to the last snapshot before the files were encrypted.
One caution about using VSS: even after we deleted all of the encrypted files (all of which were renamed to have a .lechiffre extension, making the process of searching out and killing encrypted files quite convenient), and then emptying the recycle bin on each volume, we found that we needed to add extra space to the volumes to enable us to revert to (think "restore from") our VSS backup. Unhepfully, Windows 2008 didn't tell us we needed extra space until it ran out during the reverting process.
Once we'd reverted to the older VSS snapshot--which took several hours, because there were many tens of thousands of files to be processed--users were able to log in and work as they normally would.
The two lessons we learned from this:
In the next post, I'll talk about detecting and preventing ransomware.
For reference, several antivirus vendors have prepared more detailed explanations of how ransomware works, including:
Ransomware is nasty stuff. It encrypts every file it can find (or an entire hard disk), and displays contact information where you can send money to decrypt your files. Generally, a long enough encryption key is utilized that it's impractical to try cracking the code.
The challenge with ransomware is that it "mutates" quickly. There's not just one version of Cryptolocker, there are dozens, perhaps hundreds. "Script kiddies" can download kits which enable create customized malware.
Frustratingly, since there are so many customized signatures, most antivirus programs aren't terribly effective at catching ransomware. One popular antivirus vendor's support tech bluntly told me that their software won't detect it, but that it could be set to detect and block the type of activity that an encryption virus perpetrates. I wasn't impressed; this was like telling me "Oh, well, yes, half your barn burned down, but we figured out there was a fire and soaked down the unburned half so it wouldn't catch on fire."
In my client's case, my security team never figured out exactly how Le Chiffre entered the network, but based on file time stamps, they managed to narrow it down to one of two workstations whose users either clicked on a link to an infected website or opened an infected downloaded file.
Unless you really want to throw money at cyber criminals who may or may not actually decrypt your files--and who knows if the decrypted files will be intact or contain some other piece of malware?--the only option to recover from a malware attack is to restore from backup...after making sure that you've eradicated all traces of the ransomware. (I'll talk more about that in Part 2 of this post.)
In my client's case, we happened to have not one, but two avenues for file restoration.
For primary file backup, we had installed a Barracuda Backup unit, which did a terrific job of backing up files as they were created or changed. The backed-up files were stored locally, then streamed up to the Barracuda Cloud for offsite safekeeping.
When we set up a Windows 2008 based file server for this particular client, I was already familiar with their end users' behaviors, which included multiple "oops!" file deletions each week.
This knowledge led to our creating a secondary safeguard, which was to enable Microsoft Volume Shadow Copy Service ("VSS") on the file server's data volume.
If you're not familiar with VSS, it allows a system administrator to set aside space to create periodic "snapshots" of a volume's file system. I set up VSS at our client to create snapshots at 0700 and 1700 each day, keeping several days' worth of snapshots on file.
When LeChiffre struck, after making sure we'd removed all traces of the virus from all systems, rather than running what would probably be at least an overnight restoration of files to the server, all we had to do was use VSS to go back in time to the last snapshot before the files were encrypted.
One caution about using VSS: even after we deleted all of the encrypted files (all of which were renamed to have a .lechiffre extension, making the process of searching out and killing encrypted files quite convenient), and then emptying the recycle bin on each volume, we found that we needed to add extra space to the volumes to enable us to revert to (think "restore from") our VSS backup. Unhepfully, Windows 2008 didn't tell us we needed extra space until it ran out during the reverting process.
Once we'd reverted to the older VSS snapshot--which took several hours, because there were many tens of thousands of files to be processed--users were able to log in and work as they normally would.
The two lessons we learned from this:
- Don't trust a normal antivirus program to pick up rapidly evolving malware such as ransomware.
- In addition to daily backups of all systems, enable VSS to save time in case a mass restoration is needed.
In the next post, I'll talk about detecting and preventing ransomware.
For reference, several antivirus vendors have prepared more detailed explanations of how ransomware works, including:
- http://www.trendmicro.com/vinfo/us/security/definition/Ransomware
- http://us.norton.com/yoursecurityresource/detail.jsp?aid=rise_in_ransomware
- http://www.mcafee.com/us/security-awareness/articles/how-ransomware-infects-computers.aspx
- https://blog.kaspersky.com/cryptolocker-is-bad-news/3122/