<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=259493914477262&amp;ev=PageView&amp;noscript=1">

Tabush Group's Cloud & Managed IT Blog

CryptoLocker: A Firsthand Experience

The big IT news lately has been about the Heartbleed SSL vulnerability, however, malware and viruses still are the most prominent threat to small to medium sized businesses.

CryptoLocker, which surfaced in late 2013, is still out there, and its destructiveness hasn’t dwindled. CryptoLocker is malware which encrypts all files it finds on a computer or network, rendering them inaccessible.

Last month we were called in by a business which had been ‘hit’ with this CryptoLocker virus and want to share with you how we battled it.

The company (not a managed services client of ours) had contracted the virus on their network 1 day earlier. The process to clean the network would normally be to remove the virus, delete the infected files (which were all of the company’s shared files) and restore the files from backup. First BIG problem: The company did not have adequate up to date backups. We now had two tasks to complete:

  1. Rid their network of the malware
  2. Obtain the decryption code to unlock the files making the files accessible again

Their business was seriously impacted by the inaccessibility of their data, so time was of the essence.

Here’s a brief summary from Ezra Shiram, our technical engineer who led the process, of what he went through:

  • “First, I had to clean the infected servers and ensure the remainder of the network was clean, which led us to the second BIG problem: the company did not have solid up-to-date Anti-virus software installed. We rolled out our managed AV platform in order to clean the servers and roll out our AMP system to ensure the network was completely virus-free. This took around 2 days.
  • Once the network was clean, I started focusing on getting the decryption code. We had less than 48 hours left until the ransom offer expired and all files were deleted, which I thought would be more than enough time. Our only other option was restoring from month-old backups, which obviously wasn’t a great ‘plan b’.
  • Payment via credit card was not an option. The ‘file kidnappers’ demanded payment in bitcoins, 0.7 bitcoin ($700 at the time) to be exact. So how does one go about buying bitcoin?
  • Most exchanges we found to purchase bitcoins required a bank transfer and 5-7 business days to clear. The client could not wait this long.
  • Fortunately, I found a bitcoin dealer right here in NYC. As directed, I instructed the client to go to someone’s apartment in the East Village with $700 cash to purchase the bitcoin. He did, and let’s just say this was not like walking into a Chase or Citibank branch. But he got the bitcoin.
  • Next, we uploaded the bitcoin to the website as instructed by the kidnappers which started the decryption process. Then, we had to sit and wait, knowing that decryption has a 20% failure rate.
  • It took about five hours for the decryption process to run – which were the longest five hours of my life - but we got the decryption code, and were able to successfully restore all of the clients files back to normal.”

The good news is that after almost a week of hard work, we were able to decrypt almost all of the client's files. However, between professional services fees, downtime, and the bitcoin, the client was out thousands of dollars.

Don’t be the next victim of CryptoLocker!

  • Have good virus & malware protection – both at the desktop server and on your email. Ensure it’s thoroughly installed, properly configured, and managed.
  • Don’t open suspicious emails. If something seems strange, it probably is.
  • Invest in good backups. Trust me, you’ll be happy you did.
Topics: Cybersecurity Managed IT