This is the 268th article in the Spotlight on IT series. If you'd be interested in writing an article on the subject of backup, security, storage, virtualization, mobile, networking, wireless, cloud and SaaS, or MSPs for the series PM Eric to get started.
A few weeks ago, I had someone in our customer service department open an email from a legitimate client that contained a .zip file. This wasn’t exactly normal correspondence, but it also wasn’t unusual to be contacted via email by this contact. Shortly after, I was called and informed it appeared we had a virus. They said a strange pop-up warning message came up and they couldn’t get rid of it.
“Please don't click anything anymore” I replied. I asked if it resembled our antivirus alerts or had any reference to our recently added web filter. They told me that less than a minute after the .zip file was opened, they got the 72-hour countdown screen from CryptoLocker stating that they needed to purchase the $300 encryption key or all data would be encrypted and useless.
I told the person to unplug the PC from the network, and I literally ran to my car, drove to the offsite facility and dashed inside! I powered it off and told him he would have to work from another station for the rest of his shift. I walked out with the infected piece of hardware under my arm in a full nelson.
I got back to my office and started researching CryptoLocker while I allowed McAfee to run its scan on the machine with no network connections. I downloaded the latest version of Malewarebytes (my personal favorite) to an empty flash drive and loaded that to the machine as the first scan finished with no results. I started a full system scan with Malewarebytes and went back to researching what I could about this particular virus, and testing nodes of shared files and drives.
It looked like it favors user-modified documents with MS Office, Adobe, and .txt type extensions. I followed file paths he had rights to and BAM every single document would produce the same error message: “This file cannot be opened because the file format or file extension is not valid. Verify that the file has not been corrupted and that the file extension matches the format of the file.”
If I forced a file to display contents it was a massive garbled mess of displayed encryption. I had to restart the Malewarebytes scan two times before I decided it was a waste of time. I needed to re-image the machine and move on to backups!
In that short amount of time while the machine was connected to the network, it had infected all of the documents on the PC and nearly 80 percent of the public drive the user had read/write access to, which was highly relied upon by employees of all types at that facility. That site’s initial backups are temporarily stored on the same machine that the public shared drive resides on before written to tape off-site.
This being Monday, I bit the bullet and decided to pull the weekly tape backup and restore from there. I wanted to skip any chance of reviving a virus I presumed dead on this one machine and pulled backups from tapes.
This gets interesting because I inherited the system in which the backups are handled, and its creator no longer works with us. We use BackupExec 2010, which has been a bit of a bad update, nonetheless it works and I’ve tested it. However, this particular facility backs up with Windows Backup and Restore to a remote server location daily, and that location gets backed up to tape weekly with Exec. I had not fully grasped that idea until this moment. In fact, it was kind of awesome. I was almost in a situation similar to the poor guy on Reddit from the Cryptolocker Hell post, as the backup used a service account and restoration required a password that happened to reside nowhere in any of the documentation.
I ended up copying the 214Gb backup file to a different remote location and gave a new service account access to it. It worked. It was a restoration process that was different than I had done before, and different still than the way we back up at our other sites — but it worked. I was able to browse the backup file tree and restore the portion that was corrupt.
All in all, the ransomware spread incredibly fast and all documents — be it Office file types, or .txt, .pdf, — were unreadable even if they did open. I would guess that I wasn’t really called right away (as was indicated by the user when I got the call), but it hit everything this user had rights to modify. I learned that understanding the entire backup method and storage locations for every site you deal with is absolutely necessary. I’m a strong believer in documentation. We can all follow simple instructions, especially if we created them!
---
Got some CryptoLocker, or other virus or ransomware, horror stories of your own? Share your scary security stories in the comments below or PM Eric to have it featured in the Spotlight on IT!