The cryptolocker infection & successful removal
The cryptolocker infection & successful removal
This month has been a strange one in terms of Malware infections, where we had two different companies contact us, looking for assistance in cleaning the cryptolocker infection from their computers. The two clients had similar issues – documents and files were encrypted and the attacker was looking for 3BT (bitcoin), around €2,000 value (may 2017). They had a time limit to purchase this unlock key – when the unlock key would be destroyed.
Cryptolocker is the name given to a specific piece of malware, known as ransomware. What this particular piece of malicious code does is encrypt your files within your profile folders on your computer, such as documents and desktop files, and also has the potential to lock files on any network shares the user has access to, such as files on a server. This virus actually came out sometime 2013, and was distributed through a botnet. To find out more about Cryptolocker, check Wikipedia here. There’s also a very good article on The Observer Website. What is a botnet? It’s a series of connected devices (computers) each running several “bots” (pieces of code), where the “net” (network) of devices combine to distribute these programs through their network, seeking out computers with code vulnerabilities that can be affected through systematic attacks to deny services.
So back to our two service calls, each of which was in a different count, but again, we responded and dispatched one of our technicians to resolve.
So the first client had three infected workstations (windows 7 desktop computers) as well as the files that were shared on the server. We asked had the client has a backup, which they did luckily. The files affected were Microsoft office files – word and excel format. They had a firewall, they were running office 2013 and received pop3 email.
A hardware company renting out tools – file shares and an application issuing invoices in excel format via a Microsoft Access Database. The database files were encrypted as well as desktop and document files. The last functioning backup was over a month old.
How was the trojan activated? Through email of course. It’s unknown if AVG was scanning the email or if the definitions weren’t quite up to date in both cases. In the first case, an email came into a book=keepers mailbox, with the subject purporting to be a statement from one of their suppliers. It was a zip file, statement.pdf.zip, and the Windows default method of hiding known file extensions was still in place. This user wouldn’t have seen the .zip extension. It ran a hidden executable in the zip folder which did the damage. The user couldn’t see the PDF, who forward it to two colleagues, each of which also opened the file!
Client 2 was using a free email service, and was viewing the emails over the web. Again, it was a book keeper, who saw a little email from an unknown source with the title, Wedding Photos. The email contained a zip file… you can guess the rest…
What we have is a common for both customers, was the method of distributing the infection, via email, which isn’t been scanned for virus or spam, as they are using pop mail and a web interface without a scanner such as the ESET Outlook plugin, and a few users who were inquisitive or confused.
Removal of the infection
Removal in both cases was fairly straight forward. It was removed by an excellent piece of freeware, called Malwarebytes, which I have been using for years. Once I knew the computers were clean, we restored client 1 server files. Desktop files weren’t important.
Client 2 was a little harder as there were no backups of individual files, only a backup of the access database and the associated excel spreadsheets, from a month back, but had paper backups of all accounts. They were just about to pay the ransom, however in attempting to purchase the bitcoin he was asked to provide an photo of both sides of the credit card, and another with the owner of the card posing with the card in hand. All too complicated.
Ethically I suggested we restore the last backup and spend the money on some staff overtime for data entry, and rest they invest in a good firewall, and move their email platform to Office 365. It’s also important to keep Microsoft Windows and Office applications up to date.
On leaving both clients, I suggested they use ESET Endpoint Protection as it’s live grid and HIPS system block unauthorised remote access to the network with an Intrusion Detection Prevention technology. I also recommended the implementation of a good Firewall, as well as using some common sense when it comes to opening emails. In the end, neither of them could recover the encrypted files, just the last known good backup.