CryptoLocker is a Trojan that encrypts files on an affected system. It first appeared on the Internet in 2013 and was targeted at Windows-based platforms. Once downloaded and activated, it looks for certain file types to encrypt using RSA public key cryptography.
How did this happen?
CryptoLocker usually spreads through a botnet or by way of compromised email attachments. This is usually triggered once an email attachment is opened.
Our Response?
Our technicians got an immediate alert and acted straight away as per our usual processes.
Elements of the platform closed down automatically and we were alerted it was a Crypto virus instance.
All access to email and OWA was automatically suspended to stop the spread of the virus to users as designed. This version of Crypto locker (Ryuk Ransomware) works very quickly and some files were affected in the short time between activation and shut down.
Our status page was updated immediately to show customers that email access was closed down and to advise of the DR links.
With the very nature of crypto we needed to deny access to areas of the platforms, so we could clean and restore the data and services throughout to maintain full security.
The whole system was up and running by Monday morning by 3.30am. Scanning was continuous and you may have noticed the platform was running slower than usual. These scans discovered HTML files that should have not have been there. These are not viruses.
Upon discovering these HTML files, and following a risk assessment, we decided to remove all data that contained these files.
Therefore, below are some recommendations on how to avoid malware: