How to fix a cryptovirus like Locky, Cryptolocker, Torrentlocker
“Your Backup Plan never survives first contact with a cryptovirus”. Its the most likely security incident that will test how well thought out your backup strategy is.
On 17th Feb at 2.07pm a receptionist opened an email attachment that looked like a legitimate invoice. At 2.08pm a download called eiaus11.exe arrived in the temp directory and launched. By 4pm it had encrypted nearly 91,000 files – all the Word documents, Excel documents, PowerPoint presentations, databases, images, x-rays, patient info. The ransom for the decrypt password was £300. That’s an absolute last resort – Don’t pay the ransom! You will go on a mailing list for a lot of future attacks.
Its almost not worth wasting the time trying to find a way round the encryption. Most of them are pretty slick now, hiding the decryption key somewhere on the internet, untraceable Bitcoin payment, even offering tech support. Just occasionally a fix turns up but months after the event.
The only other cure is to fire up the backup and restore to the previous evening. However some of the cryptoviruses are now targeting backups, in an effort to maximise ransom payment. Dropbox, Onedrive and similar file sync tools are not actually backups – encrypted files will be synchronised to the data centre and then to your mobile devices. Shadow file copy (a handy Windows file recovery mechanism) is deleted. A backup drive on a server that is shared will be attacked and encrypted.
Make sure your backup and security is multi-layered and comprehensive – on-site backup, off-site backup, email filtering, desktop anti-virus. Make sure its a full backup. Make sure it is tested regularly. You don’t want the first test to be when you’re staring at 91,000 inaccessible files with the business stopped dead in its tracks.
On the 18th Feb at 9.30am, the online backup completed the restore of the appointment database and all the related customer info. The receptionist logged back in and everyone breathed a sigh of relief, a little greyer, a little wiser.
The biggest issue encountered wasn’t the encryption or being unable to work, it was the fact that the broadband service was a limited package, with an almost used up allowance that wouldn’t allow for a full download from the backup service. As they say, your plan never survives first contact with the enemy. Use our experience to revise your plan.