Ransomware is not new but in the past
year has entered into an entirely new era with the advent of the
CryptoLocker virus. Just in the last two days in different parts of
the country two of our accounting software users have encountered
this virus and it has created havoc. Neither paid any ransom but
rather were able to thwart the virus by taking fast action;
nonetheless it caused an interruption in business of these users along with technical support expenses, and considerable angst.
Once a system is infected, the virus
spreads very quickly and easily jumps around and onto shared network drives. On one system it jumped to a server drive from a
client PC that only had basic, non-administrative user rights and
within less than two hours had copied its ransom notice files into
every folder on that drive. So any PC (or other device) connected to your network
server could spread it.
Additional morphs of CryptoLocker have also recently appeared.
Your anti-virus program may not be able to detect CryptoLocker or its morphs. Therefore, it is critical to focus on the education of your end users NOT to click on links or open e-mail attachments from unknown, untrusted or suspicious sources that may be disguised in any number of ways.
It is not clear whether the virus is able
to encrypt files that are in active use; but it does not seem to discriminate
in terms of what files it goes after. One user's first notification
was when a simple JPEG file could not be loaded and was essentially corrupted by the virus.
General background information about the CryptoLocker trojan can be found on
Wikipedia.
A Virus Bulletin Ltd. blog mentions a recent tool that may be able
to provide the decryption phrase in some circumstances as a result of
a joint effort between FireEye and Fox-IT (the PDF maker). See:
Some further helpful technical details:
As is discussed in greater detail in a related blog, lack of end user awareness of potential
serious infections as a result of careless e-mail use is a significant part of the problem.
And hackers know this.
Recovery requires an off-line backup
that was made prior to the infection. So in addition to strongly reminding end users about e-mail and related dangers,
revisiting your backup strategies is also in order.