What To Do When Your Small Business Is Hit By A Cryptovirus

When Kristie Green, owner of North Star Scaffolding, saw a traffic infringement notice email come through on the computer she uses to run her small business, she didn't even think twice about clicking it. The computer instantly froze up and then a message appeared on the screen informing her the device has been hijacked and that she needed to pay a $900 ransom to gain access to all her files again. Kristie had been hit by a cryptovirus.

Sleep picture from Shutterstock

Cryptoviruses are targeting Australian small businesses in force right now. According to Symantec security expert Mark Shaw, crypto malware attacks on Australian businesses have increased significantly over the past two years, making Australia the favourite target for cryptoviruses in the Asia-Pacific region.

Cryptolocker or Crytowall malware are the viruses of choice for these computer kidnappers, which have been involved in high-profile mass attacks that used targeted phishing emails posing as well-known Australian brands such as Australia Post, Energy Australia and the NSW Office of State Revenue with links to malware that usually disguises itself as a PDF or a ZIP file.

"This form of cybercrime is proving very lucrative for those behind it given the high clickthrough and infection rate," Shaw said, noting around three per cent of users actually fork out the ransom.

Kristie was one of them. The work computer that was in lockdown not only held important business documents as it contained valuable personal photos she couldn’t bear part with. She had not backed up any of her files. The timer on the screen ticking down to when her files would be destroyed sent her into a panic.

"I called up three IT guys and two didn't even want to deal with it," Kristie said. "They said it would take hours and hours to even try and fix the issue and that I was better off getting rid of the computer. The last guy said he could try and fix it but there’s no guarantee that I would get my files back."

Desperate, she went to ANZ Bank to pay the ransom. The culprits had sent a list of ways to make the payment and this was the quickest method. But the bank staff were less than helpful.

"One of them told me the bank won't take the money because it doesn't support online corruption and that the money would likely be used to fund terrorism," Kristie said.

She ended up paying through BitCoin. Once the ransom was paid, it took seven days to reinstate every file on the computer. While she did regain control of her computer, the damage had already been done to her business.

"There was definitely income loss during that time because during those days where the computer was affected the business ran on limited capacity. We couldn’t access documents that were crucial to the company because they were all on the one computer. Lucky we could still use our Xero accounting system," Kristie said, who has since replaced her computer entirely. The experience haunted her and she was worried the virus was lying dormant on the old laptop, waiting to attack again.

As criminals ramp up their efforts to make money in the digital space, small businesses should take preventative measure to minimise the risk of becoming yet another victim.

There is no miracle way to absolutely prevent an attack from cryptoviruses, but educating users about the potential threats is a start. If you see an email, even if it’s from a perceived reputable source, ask yourself a few questions: Is this from someone I know? Was I expecting this email? Does the email address itself look suspicious?

Having email security software would also help with the prevention process, but just make sure your software is up-to-date.

The most important step small businesses should take is to back up everything on their computers. It's surprising just how many businesses don’t have a habit of backing up their data. Kristie learnt the hard way the consequences of not backing up her laptop and has since started to do so. Her IT technician help her set up a Dropbox account where she now stores her work and personal files.

So what happens when it’s too late? What happens when you’ve already been crippled by a crypto malware? Here’s what Shaw recommends:

  • Remove the malware using reputable security software.
  • Recover the encrypted files by restoring from backup or the built in Windows System Restore capability. It is highly unlikely you’ll be able to decrypt the impacted files as the attackers typically leverage industry-standard, strong encryption algorithms.
  • Don't pay the ransom. There is no guarantee that the attackers won’t up the ante or deliver the key needed to decrypt your files. Paying will serve to fund the criminals behind the attack, allowing them to target more victims.

If you run multiple PCs in your business, be aware that they may also be infected if even one is compromised by a cryptovirus.

"If you do get hit, quickly identify the infected workstation. While some of the crypto virus examples go after local drives, some of them start with network shares which can be much more damaging to your business. Isolate that workstation from the network to minimise any cross infection or encryption of your network data, Websense sales engineer manager Bradley Anstis told Lifehacker. "On the workstation determine what data could be lost, can you recover it from a backup? Check this without restoring to the infected workstation if possible.

"Also check back with your desktop security vendor, some of them do have recovery tools for some of the variants. If you can’t get the data back, there is no recovery tool then you are exactly where the attackers are hoping you would be!"

Has your business ever been attacked by a cryptovirus? Tell us more about what happened in the comments.


Comments

    Sorry, but I don't agree with point 1 that Shaw recommends; If they remove the malware then there is no way possible to undo the damage that has already been done with cryptolocker. You need to have the software still on the machine to reverse the encryption otherwise everything will be lost. (unless it's a very old version and you can get the unlocker for http://blogs.cisco.com/security/talos/teslacrypt )

    Point 2, the software nukes system restore.

    Point 3, the ransom usually gets the software to reverse the encryption - as unpalatable as it sounds - the criminals are businessmen, if word gets around they don't honor their extortion attempts then people will be less likely to pony up the cash.

    In addition the newer versions of cryptolocker also can hit unc network shares \\server\folder AND now they can attack dropbox folders too.

    The best recovery option is from a regular backup, prevention is almost impossible as it's social engineering letting the malware onto the network in the first place and user education and vigilance is HARD to implement as it's usually not their job to worry about network security.

      I have also heard from another IT professional that it's better to just pay the ransom if you really want your files back. It's a bit of a grey area - there are pros and cons with either approach.

        There is a web site that you can use for free, fire eye or something that will help reserve it or unlock the files. Most small businesses have limited backup solutions so the backups may also be infected as it virus can lay and wait for months in some cases.

        I have had a client have this and the windows 7 backup wasn't infected. The system restore from a certain date. It might not be called the system restore but it's built into Windows 7...I just can't remember the name of it.

        There are options but the best is always to have up to date anti-virus solution on all computers as the good ones and even Microsoft defender will protect you from this. This doesn't always stop the updated versions of the virus though

          Hi Barry,

          Beyond good user awareness, you're bang on regarding using a strong and up to date security solution. The key point i'd make here is to ensure that you have ALL the protection mechanisms enabled. For example, traditional 'AV' technology is file signature based and we (Symantec) know that this stops less than 50% of the threats that come through. The majority of threats that Symantec stops at the endpoint (end user's computer) happen through advanced techniques including firewall/IPS, file reputation and behaviour-based technologies. This allows us to identify new variants of malware that haven't yet been seen or classified - and this is the case with many Crypto malware versions.

          The good news is that these capabilities are enabled by default on our consumer software (Norton 360 Multi Device) - so if you're using this and it's up to date, you've got the best protection in place. If you're using Symantec Endpoint Protection (SEP) the customer does have the ability to disable this functionality... we'd highly recommend that they don't - so worth double-checking if you fall into this boat.

          Cheers,
          Mark

          Last edited 30/07/15 9:35 pm

          The websites you refer to no longer work. The cybercrims cottoned onto this pretty quickly and changed their hacks.
          Edit: BTW, NO AV currently stops cryptovirus.

          Last edited 31/07/15 9:14 am

      Hi Bob,

      Mark here from Symantec. Thanks for taking the time to comment. You make a fair point regarding point 1. Perhaps point 0.5 should have been included - "decide whether you NEED to pay the ransom." Of course the decision will be based on the recovery options available to you at the time. If a recent backup was made, the best approach is to revert to that but before doing so, removal of the offending software needs to happen first to avoid the newly recovered files from undergoing the same fate.

      Regarding point 2 - The option of system restore is available to some people and has been successful. It depends on the variant of Crypto malware that you're hit by (not all of them impact the system restore function) but it also depends on whether the user has this functionality enabled in the first place of course. The sophistication of the malware has increased considerably since we started seeing this used in anger again in 2013 and the bad guys will continue to look to limit the recovery options available to the victim.

      On point 3, whilst this is a business for cyber criminal and some will honour the "business arrangement", we have also seen a number of instances where payment of the ransom hasn't happened. In addition to the decryption key not being sent we've also started to see a worrying trend whereby only partial decryption of files takes place. The attacker will then ask for additional money to decrypt further files in an attempt to squeeze out more from the victim.

      Ultimately it is up to the user to make that decision to pay and yes, some choose to go ahead... and some get their files back. Our advice is to avoid paying the ransom unless you have no other options available. Personally speaking, if I had to choose between not being able to recover precious family photos vs. paying a $300 ransom, I would be tempted to go for the latter - but I would hope i'd not have to make that choice because ultimately, the primary message here is one of prevention.... as this is so much better than the cure!

      Cheers,
      Mark

    Keep OFFLINE backups or multiple backups. They will go after shares.
    Online live backups will copy the encrypted files as they change.

    If you really are stuffed, paying will usually resolve it. If word got out that they didn't fix it, people would stop paying.

    There is really no way to stop this without really upsetting people. There is someone in every workplace that will open these attachments. If you block them, everyone will be after you. It sucks.

    we had a peanut in our company (200 people in the office) click on a AFP forged email that was a crypto.
    lucky for us we do backups every night and even though it infected our main file server, we able to do a restore and reverse the damage done.
    its was a hectic morning. but this thing spread like a wildfire in a matter of minutes and due to the the senior IT guys, we squashed it pretty quick.
    even getting a hold of Acronis and a portable hard drive to do back up of individual machines if you dont have a company wide backup system in place is a good way to go. just plug your HDD in first of last or middle of the day, let it do the incremental and then disconnect it. so shoud anything happen, you can restore.
    the good thing about acronis too, is that it does a whole system image, so should you get infected, you can re-image your whole computer using the backup.

    I was dealing with the 2015 variant last night at a small site I manage, Encrypted all Dropbox on the local PC and started on the network drives before I asked them to disconnect the ethernet cable. The virus encrypted the start of the "A" folders on the Mapped Drives, working it's way down.
    Backups restored from ShadowProtect, computer cleaned. One nasty virus.

    Offline backups are the only fully secure way of surviving.

    Next best are cloud storage service like DropBox as they keep their own sets of previous versions - i.e. restore from a previous version and you're most likely OK.

    When the infection happens, though, pretty much ANY connected storage might get infected.

    Of course, few smaller businesses and even fewer home users ever do a backup of any sort, let alone an offline backup.

      Agreed that a lot of small businesses and consumers don't do any back up. Hopefully these kinds of stories will educate them on the importance of backing up their data!

    We had a similar issue where a person within our business clicked on one of these links. By the time I discovered the machine that the malware was sitting on over half the network files were encrypted. Lucky we were able to restore all the affected files from the backups (with the exception of the users computer that had to be formatted multiple times) but that ended up burning up over two days of the IT departments time.

    Now I have taken the approach of monthly emails to the company highlighting what to look out for. This will hopefully educate them and may prevent the issue arising again for the business. Hopefully it may also prevent them having a similar issue with there home PC's.

    Last edited 30/07/15 3:18 pm

    Backups kept offline are the only way of making sure you can get your data back without paying the ransom. But if Cryptolocker strikes at just the same time as your backup device is connected while making the backup, then the backup could be encrypted as well.

    To be really safe you need two backup devices, alternate them, and only ever have one connected at a time. That way you'll always have one backup offline and safe. It's a bit more work, but it's worth it.

    The thing I don't understand is how modern AV software has become so crappy at stopping this stuff. We got hit with Cryptolocker, or a variant thereof, recently, our spam filter let the email right through, some dodgy Australia Post email, didn't blink an eye. Then Symantec AV let the end user download and run some dodgy .exe from the internet, didn't even blink an eye when the virus sat there encrypting all the files on the office file server. Considering all the crazy thing viruses have gone through in the past to avoid detection, I would have thought something as basic as this would be trivial to catch and stop.

    From experience, the only solution is a low-level format, and complete restore from backups.

    For small business use a nas box that can dump to amazon s3 or some such every night and turn on versioning in the cloud storage, you get offsite backup and protection from attacks like this.

    P.S After servicing small business for a number of years the biggest problem is lack of resources, they don't want to spend any money and expect the minimal amount of expenditure to give them stellar results.

    Best preventative measure I know of is application whitelisting. May seem a little advanced for most SMB's. An easy way would be getting an IT guy to remove the users ability to execute programs from the AppData folder. will play a little havoc with programs like Dropbox or GoToMeeting but will save you a world of pain if this gets through.

    I spent 11 hours last Saturday restoring a fileserver when this thing got through our network and have since put more measures in place to stop it.

Join the discussion!