Ransomware first person: Dealing with the Cryptolocker virus

Hear how one IT services professional resolved a Cryptolocker infection for a customer and why the virus is evidence customers need managed services.

"What were you thinking?" is exactly what I was thinking when the call came in from Karen at Alberson Insurance (names have been changed to protect the … err … innocent). It was a Monday morning, and apparently, Karen had opened a suspicious email informing her of a delivery, which she hadn't been expecting, the previous week. Shortly after opening the email, she noticed a pop-up on her screen with a countdown clock. Wary of the suspicious activity, she started a manual antivirus scan before she left for a long weekend, so she thought she was safe. But on Monday morning, as she settled into her chair and grabbed her coffee -- five days after she had first clicked the questionable message -- she realized something was wrong. She didn't know it yet, but she had the Cryptolocker virus.

Alberson Insurance is one of our older clients, and therein lies the problem. My company, AGJ Systems, is a managed service provider in south Mississippi. For our first seven years in business, we didn't offer flat-fee managed services. For this reason, many of our older clients were happy with our hourly services and we hadn't yet seriously made an effort to push them toward managed services, so they weren't using our "recommended" products, such as a BDR (backup/disaster recovery) appliance with hourly backup, a unified threat manager (UTM), and a managed antivirus system. If Alberson had been a managed service client, we could have been alerted to the virus by our managed antivirus system -- if our UTM hadn't blocked it in the first place. If the Cryptolocker virus made it past these two lines of defense, our BDR with hourly backup would have allowed us to roll the entire office back to the "last known good" backup. But without any of these services in place, we began to get concerned.

This [Cryptolocker] event solidified for me the need for managed services at all of our small-business clients.
Ryan Gilespartner, AGJ Systems & Networks

Karen is the office manager at Alberson Insurance, and, as such, she has full access to almost all company data, including access to Alberson's entire new Office 365 SharePoint site. Since Karen works in many SharePoint files each day, she had asked us to map a drive on her computer to the company's SharePoint site. After the Cryptolocker virus did its damage and encrypted the files on her local PC, it moved on to the SharePoint site via the mapped drive. When we diagnosed the problem on Monday morning and realized that her backups had also been compromised, we shuddered to think that our only option may be to pay the ransom (even though we knew that wouldn't guarantee we'd get usable data in return). But even that option was lost: The antivirus scan Karen had run the previous week had removed the "countdown clock," and thus our ability to pay for the encryption key.

At this point, our options were becoming very limited. We could roll back to an older, local backup, but doing so would mean a significant amount of data would be lost. We chose a different option, recovering the Office 365 SharePoint backups. Microsoft keeps 14 days of backups for Office 365 SharePoint data, and we hoped that the last known good backup was more recent than the compromised local backup. Thankfully, we only had to go back three days (including weekend days, when little data had changed) to get a good backup from Microsoft.

We recovered the data and solved the immediate problem.

In retrospect, this event solidified for me the need for managed services at all of our small business clients (in fact, we have a meeting scheduled with Alberson Insurance to discuss our managed services). It reminded me that we offer managed services not only because they are good for our business, but also because they are the best for our clients. As such, we're going to spend time over the next few months visiting all of our long-standing clients not signed on with managed services. We can't, in good conscience, offer them a service model that doesn't meet their needs.

But whether you offer managed services or not, I suggest you take a look at your offerings and make sure you take a multi-zone approach to defeating viruses such as Cryptolocker. A UTM is a great tool to start with as it protects the computing resources at the gateway level. A managed antivirus product that you monitor daily is a great second line of defense. Whitelists and group policies also have a part to play, followed by a solid backup, which can be run hourly (if not more often). If you have these technologies in place at your clients' offices, you are ahead of the curve and your clients are lucky to have you as their service provider.

Ryan Giles is a partner with AGJ Systems & Networks and a member of The ASCII Group.

This was first published in December 2013

Dig deeper on Threat management and prevention

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

1 comment

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close