I have been watching with concern as ransomware spreads nearly unchecked throughout the world.  Many ways are being discussed but I chose to focus on recovery.  Local backups are now no longer safe as if you get a ransomware infestation these malware packages start encrypting everything it can see..files on your server and any attached devices.  This can(and often does) include your backup devices.

How can you protect yourself?  Pre-encrypted cloud based versioning backups. I have a vendor I use that supports not only Windows servers but also Linux based ones including the very popular Synology based NAS devices.  I had researched how ransomware works and by theory it should work fine.  The main advantage in this setup is that ransomware effects are usually immediately apparent.  Internal testing bore this out so i felt comfortable with basing my client security on not only trying to prevent infections but making sure an uncompromised backup was available.  I finally got the call I hoped I would never get.  A client with a ransomware infection.

Two days ago I get a phone call from a clients administrative assistant telling me she is seeing files showing up with a new file extension of .crypted.  I knew immoderately had a ransomware infection.  I rushed over to discover the owner had opened a .zip file that appeared to be from the courts about a case he was involved in.  Unfortunately this was a fake email.  The client then downloaded the .zip and opened it.   He knew something was wrong right away because all of a sudden his NAS started getting hammered as his workstation began encrypting not only his workstation files but also the files on his NAS.  Unsure of what was happening he started a manual scan of his anti-malware(Webroot) which failed to initially detect the malware and upon starting the manual scan was unable to remove the malware.  By the time I got the call the ransomware had been chomping on his business for 30 minutes.

When I arrived the client had unplugged the power cord from his machine…however the damage was done.  I unplugged the network cable from the NAS and did a full evaluation of all other machines in the building.  With all of the other machines checked clean I turned my attention to the NAS.  Unfortunately all of the files that had been encrypted were ultimately unrecoverable.  The malware in question was called teslacrypt.  The client did not want to pay a ransom.  I found a decrypter online by Cisco but as teslacrypt is not written with high quality code and Cisco security said their decrypter might not work..and unfortunately it failed.  I then had to start a search and removal of all of the .crypted files off the NAS.  Once that completed I began the recovery of all files from the cloud backup to the NAS.  Due to the 26 gigs of files that needed to be recovered I advised the to allow the NAS to go the remainder of the day and all night to complete the restore.  This had the effect of shutting him down for that day.

I meanwhile took the workstation to my office to run an external series of scans on the machine.  First up was AVG Rescue disk.  It found and removed all 7 infections on the machine.  Microsoft offline defender found nothing and neither did Avira rescue.  I then brought the machine back online with my Sophos UTM watching closely for any signs of infection.  I left the machine sit all night with the UTM closely watching for any signs of malware traffic.

The next morning The workstation has tested clean and I log into the NAS to find it has finished its recovery.  I headed back to the clients location with his workstation and informed them the NAS has finished its recovery.  The assistant logs in and finds all of her files back albeit a day behind.  The workstation is brought back online and nothing untoward is happening.

In this case the client violated my Basics of not Getting Infected by clicking on an attachment without scanning it first.  Unfortunately this resulted in the near total loss of all of his data and possibly the loss of his business.

ETCs forward thinking about ransomware was a major reason this client did not suffer the total loss of all of his company data and possibly the loss of his business even in the face of a major mistake by the business owner. ETC Maryland has been thinking ahead about how this could happen and planned for this eventuality.  If you want your business to be able to survive the worst case scenario you need a technology consultant who is always trying to think ahead.  Contact ETC Maryland to evaluate your data security for proper protection against ransomware or any other data security threat.