CryptoLocker is a Trojan that encrypts files on an affected system. It first appeared on the Internet in 2013 and was targeted at Windows-based platforms. Once downloaded and activated, it looks for certain file types to encrypt using RSA public key cryptography.
How did this happen?
CryptoLocker usually spreads through a botnet or by way of compromised email attachments. This is usually triggered once an email attachment is opened.
Our Response?
Our technicians got an immediate alert and acted straight away as per our usual processes.
Elements of the platform closed down automatically and we were alerted it was a Crypto virus instance.
All access to email and OWA was automatically suspended to stop the spread of the virus to users as designed. This version of Crypto locker (Ryuk Ransomware) works very quickly and some files were affected in the short time between activation and shut down.
Our status page was updated immediately to show customers that email access was closed down and to advise of the DR links.
With the very nature of crypto we needed to deny access to areas of the platforms, so we could clean and restore the data and services throughout to maintain full security.
The whole system was up and running by Monday morning by 3.30am. Scanning was continuous and you may have noticed the platform was running slower than usual. These scans discovered HTML files that should have not have been there. These are not viruses.
Upon discovering these HTML files, and following a risk assessment, we decided to remove all data that contained these files.
Therefore, below are some recommendations on how to avoid malware:
- The more files your user account has access to; the more harm malware can inflict. Therefore, restricting access is a prudent course of action, as it will decrease the scope of what can be encrypted. Besides offering a line of defence for malware; it also mitigates potential exposure to other attacks from both external and internal actors.
- You should take note of emails from senders you do not know, especially those with attached files.
- Disabling hidden file extensions in Windows can also help recognize this type of attack.
- Having a backup system in place for your critical files help to mitigate the damage caused not only by malware infections but also hardware problems or any other incidents as well.
- Continuous user education is key.