Could you be held to ransom? GCI's CryptoLocker warning
16 March 2016
GCI warn that infections of the ransomware Trojan CryptoLocker is on the rise, and businesses should take action to ensure they are protected from attacks.
Following a number of clients reporting CryptoLocker attacks, GCI urge businesses and individuals alike to take precautions. Thought to have first appeared in September 2013, CryptoLocker is a type of ransomware – a type of malicious software, or “malware”, which infects a computer or network to limit or prevent use. A “ransom” is then demanded of the affected person or business to remove the limitations, usually with a short deadline for payment. In the case of CryptoLocker, there is a further threat; the malware works to encrypt files so that when the ransom is demanded, potentially vital files and folders are inaccessible and could be lost forever. Victims are then forced to make a decision between paying the amount asked, often through the digital payment system Bitcoin, or to have to try to restore data to a point prior to encryption.
With a survey by the University of Kent determining that in January 2014, 9.7% of their respondents had experienced some sort of ransomware attack – around twice as high as they expected – it is clear that vigilance is required. With CryptoLocker regularly being disguised by criminals in an email or attachment from seemingly legitimate companies - often as a bank transfer receipt, invoice or even seemingly sent by a customer complaining about a product or service - it is easy to see why there has been a surge in downloads by unsuspecting individuals. After several customers expressed concerns about such ransomware threats, Blue Chip worked hard to quickly develop three packages of work designed to prevent, mitigate and recover from any such infection. Offered to all clients, there was a large uptake to ensure that their company files and data were protected against the majority of CryptoLocker variants, and in a better position for data recovery against newer deviations. However, with new versions of CryptoLocker being developed and released regularly, the focus on data recovery becomes ever more essential, as one customer recently discovered.
Having opted for GCI's program of preventative work, approximately a fortnight later a customer reported an urgent and immediate need for intervention, as they had suffered a CryptoLocker attack. Whilst they were protected against all known varieties of this ransomware, they were unlucky to have been infected by “Zero-Day Malware” – that is, a previously-unreported or unseen variation for which no antivirus software signature has yet been developed. Fortunately, and unlike in many cases of CryptoLocker attacks, due to the preventative work undertaken by Blue Chip it was possible to recover the majority of the customer’s data without them having to pay for decryption.
One of GCI's Technical Team Leaders, Rob Goult, was the Lead Engineer responsible for the data recovery and reported that without pre-emptive action, the client could have lost more than 24 hours’ worth of data. As a manufacturer this would have seriously affected their revenue stream; however, having taken proactive steps to protect themselves, the destructive effect was dramatically lessened.
"Once the infection had been reported and identified, the encryption of our client’s files was halted and steps were taken to prevent reoccurrence,” said Rob. “Due to previous work completed, we were able to recover their data to a point 1 hour before the attack hit, therefore drastically reducing business impact.”
Previously feared irretrievable, not only was the vast majority of data rescued but identifying this brand new variant allowed GCI to update other customers’ anti-malware provisions with identifying characteristics, therefore ensuring the protection of others against the latest threat. Nevertheless, Rob still advises caution to both businesses and individuals:
“Had our customer not chosen to deploy the proactive work to protect their environment, their data would have probably been lost forever. By taking steps to detect and prevent malicious activity and, most importantly, backing up critical data, we placed the customer in the best possible position to reduce business impact and return to normal as quickly as possible.”