December 13, 2018

The CryptoLocker Virus – another good reason to rethink your backup process


Crypttolocker splash screenThe latest plague to hit the headlines, servers and wallets is CryptoLocker, a nasty piece of malware that encrypts and locks IT files. This troublesome Trojan holds its victims computer data hostage and demands hundreds of pounds for its release.

Britain’s new National Crime Agency (NCA) has issued an “urgent alert” to raise awareness of this mass phishing campaign, which even the best data security minds can’t currently resolve. Bypassing most anti-virus protection software the ransomware is activated once the recipient opens a .PDF file, often cleverly disguised to look as though it’s from a genuine contact via a social network or from someone within your organisation.


What happens?

Once the recipient opens the files, photos, files and documents are instantly encrypted, a splash screen appears displaying a 3-day countdown clock and a demand for payment of 2 Bitcoins in ransom (approx £536 as at 15/11/2013 - a figure that’s rocketing as the Bitcoin value soars) for the decryption key. The victim must then pay up or lose all the data on their system in the time allotted.

However farfetched the idea of paying up might be, there have been plenty of reports of organisations paying the ransom rather than face the prospect of losing their data. Even respected law enforcement agencies such as US Massachusetts police have admitted paying a ransom after being infected by the CryptoLocker, according to a recent report in the Guardian.

In an ironic twist, the use of some anti-virus software can make matters worse! It detects the malware post-encryption and prevents the user from paying the ransom. According to an article by respected security journalist Brian Krebs, this is due to older versions of antivirus software removing the CryptoLocker infection post-encryption which makes the user unable to pay the ransom. So the user has no options at all; no access to data and no ability to pay the ransom, unless of course they can roll back to an uninfected backup…

Who’s at risk?

The malware primarily targets users from US and UK, with India, Canada, Australia and France as second tier targets, but its impact can be far-reaching. Some versions of the malware reportedly not only affect local files but those stored in removable media such as USB sticks, external hard drives, network file shares and some cloud storage services that sync local folders with online storage. As the malware can jump from machine to machine within a network, the NCA advises that affected computers should be disconnected from the networks immediately.

What can you do?

Prevention is always better than cure, so scutinise any emails with .PDF attachments before opening them. However, what this has highlighted once more is the need to have a sophisticated backup and recovery service. All servers should be backed up regularly preferably using a continuous backup that enables you to can recover from several time slices during the day or previous days. If you become infected, you can simply roll back to one of your backups that isn’t infected and avoid paying the ransom, and let’s face it, there is no guarantee that this will work anyway or that the criminals won’t come back for more.  

For further advice speak on continuous backup services that minimises risk and maximize productivity within your organisation, speak DATAFORT on 0800 44 45 35.