I’ve had 2 run inns with copycat versions of the Cryptolocker Virus recently.
Usually virus infections are just a nuisance since they mostly attack executables, which is easy enough to fix in most cases or in some of the more extreme cases, you recovery your data by mounting the Hard drive in a protected machine, copy your data off and start on a newly installed machine (Which has some advantages…like a nice clean install)
The Cryptolocker variants (or cryptowall virus in my) is a beast of another nature. It targets your actual Data!
It’s a Trojan horse that arrives in an email with a zip file, the zip file contains an executable that looks like a PDF invoice, statement or a proof of payment seemingly from the bank, the email looks legit on first glance and unfortunately most people do not realize that:
A: The sender of the email is not from a known entity/person (inspecting the senders address will usually show a bogus email address although it might look very authentic.)
B: Invoices/Statements are usually not zipped
Once the user runs this “Masked” executable, it will look for all available drive letters, including your mapped drives to the company server. The virus looks for specific file types including Word, Excel, pictures and even some of your pastel files to name a few. These files are then encrypted and become unusable until they are decrypted.
If permissions are set up correctly, the damage will be restricted to the folders that the file opening the virus has access to. Unfortunately, most Company folders and pastel shares are a free for all and easily reachable by the virus.
Every folder reachable by the virus will contain 3 new files containing instructions on how to get your data back.
In order to get your data back, you have two options, go through the rather gruelling experience of trying to buy Bitcoins in South Africa to pay the ransom to decrypt your data or restore from Backups.
Bitcoins: (Hopefully your last resort)
Bitcoin is a form of digital currency, created and held electronically. No one controls it. Bitcoins aren't printed, like dollars or euros – they're produced by people, and increasingly businesses, running computers all around the world, using software that solves mathematical problems.
Sounds easy enough…but it isn’t…unless you are already trading in them.
If you do find a company that is trustworthy and that will allow you to buy bitcoins in SA, you would need to register, upload a copy of your ID Book and proof of address, as well as verify your cell nr. I registered with BitX, they were quick to respond and easier to use than the others I tried.
Once this is done, you would need to transfer funds via EFT to this company in order to convert the Rand Value into Bitcoins (BTC).
Usually the ransom is 500$ which equated to 1.39BTC at the current Bitcoin exchange rate.
The ransom doubles every 7 days…so don’t wait too long if you do feel that its worth buying your data back
When your funds show at BitX in a couple of hours… you would buy the necessary amount of Bitcoins and send them to the specified Bitcoin address, then insert the reference number on the DECRYPT_INSTRUCTION.url page (Read this page carefully, it contains all the necessary details with regard to the payment)
If you do decide to use BitX, you don’t need to register a wallet as you are able to pay directly from your BitX Dashboard.
I took about 5 hours after payment was made to the “Lowlife Data Kidnapper”( as that is the cleanest description for him/her/them that I can think of) for the payment to reflect and the decryption tool to be made available for download.
Though everything in me screams not to unleash the decryption program for fear of what other unseen damage it may do….I did not really have another choice.
I’m decrypting the data as I’m typing this and every file that I’ve tested seems OK…even Pastel is running fine again.
This is obviously the best way to get around this infection and has saved some of my other client’s data with this infection.
The way you backup however is the trick.
Having an external drive connected to the infected pc is useless as it will also be encrypted. Should that External drive be connected to your server and not shared or accessible from your workstation, it should be fine…if you pick up that you’ve been infected before your next backup runs !
This is where versioning or Historical Backups come in, making sure that you have more than just yesterday’s data on backups will be the cheapest way to restore your data.
How far back you go is up to you, but keep in mind that if you are infected on the Thursday afternoon just before a long weekend, 2 or 3 days back might not be far enough.
I hope this article sheds some light on how to prevent or resolve this matter.