back to article They've taken my storage hostage ... now what?

There's an encrypting ransomware Trojan making the rounds called Cryptolocker. I will save the details on my battle with this beastie for later*, but suffice it to say that if this encrypts your stuff you are done. There is no getting your data back unless you have backups or pay the ransom. Let's set aside the ultra-well …

COMMENTS

This topic is closed for new posts.
  1. alain williams Silver badge

    Daily incremental backups

    What is so hard about it ?

    OK: I know that many do not do it, but no serious computer user can pretend that they have not been told to do it.

    Having said that: it took an arson attack next door to their offices to get some customers to agree to my nagging to install a backup server.

    1. Anonymous Coward
      Anonymous Coward

      Re: Daily incremental backups

      > What is so hard about it ?

      Not much, and it does not require paying for an external (aka Cloud) solution as this article hints, which effectively leaves your data at the mercy of someone else's fortunes and good faith.

      I describe here a self-contained solution which copes very well with this particular scenario, and consists only of freely available tools (Linux, OpenVPN, rsync, SSH, Bash, Samba) plus two (or more, if extra redundancy is desired) non-colocated servers, ADSL or similar connectivity, and one afternoon's scripting and deployment work, plus testing.

      This is a solution that any IT support business of minimal competence can provide with low deployment costs (therefore lower prices or higher margins) and has the advantage that the customer remains at all times in full control of their data due to the complete absence of vendor-specific stuff. It does not cover for every possible loss scenario, but it does provide a good degree of redundancy / integrity, availability, and confidentiality.

      Cloud stuff strikes me more as something that you would use to host your public data (e.g., software patches and documentation, if you were a software house) than something to trust your business intelligence to. That's to say, it has its uses but it's not the solution to every problem.

      Just mentioning this as another possible approach, to provide inspiration to whoever of you may have to deal with these kind of things nowadays.

  2. Steve Foster
    Devil

    Footnote

    "*For the record, the files were ultimately recovered and the business saved. The dirty details will be all revealed in a future article. Stay tuned."

    Oh well, if you're going to give away the ending, there's not much point me reading the yet-to-be-released article.

  3. Anonymous Coward
    Anonymous Coward

    Scary stufff

    Just takes someone with a PC, Cisco (or any VPN client that doesn't work through a web browser) VPN and mapped drives to the corporate network ..... (eek!)

  4. Chris Miller

    From what I read, Cryptolocker demands a ransom of a few hundred dollars, on payment* of which they do actually send a key to restore your files (there's an obvious incentive for them to do this). Much as I deprecate giving money to criminals, for the commercial organisation you describe this would seem much the cheapest option. I doubt there's any way for them to know you're a business rather than a simple home user.

    * To state the bleedin' obvious, if you are thinking of paying, use a prepaid card and throw it away.

    1. jonathanb Silver badge

      I believe you have to pay using Western Union or some similarly untraceable service, in which case it is cash or card at your local Western Union shop, it doesn't really matter as Western Union won't misuse your card information.

    2. 's water music

      They've taken my storage hostage ... now what?

      I can see your logic but I wonder whether the crims make more money from the ransom you pay or the increase in resale value of your identity as a mark who paid up. Similarly, does the level of repeat business from previously satisfied marks justify the cost of actually having a decryption key fullfilment infrastructure

    3. SImon Hobson Bronze badge

      >> Much as I deprecate giving money to criminals, for the commercial organisation you describe this would seem much the cheapest option

      Here's an interesting thought. Is it *legal* for a business to pay the ransom ? Perhaps Trevor (or one of his colleagues) could consider that conundrum in a future article.

  5. Brian Miller
    Go

    Backups, backups, backups!

    Once upon a time, backups were taken seriously.

    OK, so that was only a long, long time ago, in a galaxy far, far away. But some of us in this galaxy, on this very planet, did take it seriously. And ya know what? Backups work!

    This really isn't about a trojan or virus or whatever, it's about a failure to properly back up data. Imagine for a moment that, instead of stealthy malware encrypting all it finds, utility workers outside crossed the lines, and fried everything on the circuits. Instead of 120V on the line, imagine that it was briefly touched with 480V. (That actually happened to some people I knew.) Now, instead of taunting messages, the equipment is fried to a crisp. Time to replace everything.

    If proper backups have been done, then you replace the machine, grab last week's tape and last night's diff, and restore everything. Done. Or in the article's case, isolate the malware, flatten everything, and restore from tape.

    Oh, did I mention tape? Yes, that's always good and needed. Funny how backup software works best with tape. Lots and lots of cheap tape, cartridge after cartridge, no problems. Backup software doesn't work so well with anything else, despite what's claimed on the package.

    And that brings up something else: Keep your scanners up to date!! Enforce virus scanners for all machines in the organization. Not only the definitions, but also the engines.

    Face it, they are out to get you, so it isn't paranoia, it's normal and reasonable precautions and defense.

    1. Kevin Johnston

      Re: Backups, backups, backups!

      You have forgotten the most inportant part of making backups.......TEST THE BLOODY THING

      If you haven't checked that you can recover a random file from your backup then it is just a bunch of tapes

      1. Fred Flintstone Gold badge

        Re: TEST THE BLOODY THING

        If I had a million upvotes you'd get them all.

    2. sandman

      Re: Backups, backups, backups!

      Yep, backups do work, whether for corporate data or personal machines. It's little things like installing a new OS version yesterday and finding it borks some vital software, even if the testers didn't spot it at the time. (I'm not naming names, because it can happen with any new OS).

      How to repair, simples, you've got a backup, just find the last sane version and restore.

      You haven't, oh deary, deary me.

      Your New Jersey data center gets flooded - you have offsite backups somewhere a bit higher? Fantastic.

      Despite ALL the warnings someone in PR downloads a famously virus-laden email and infects half the company (true story) - you have decent backups? Yes, excellent.

      JFDI, it's not bloody rocket science.

    3. User McUser

      Re: Backups, backups, backups!

      Funny how backup software works best with tape. Lots and lots of cheap tape, cartridge after cartridge, no problems. Backup software doesn't work so well with anything else, despite what's claimed on the package.

      Our replicated disk-to-disk backup servers (physically isolated from each other in different buildings natch) would disagree with you.

      1. Anonymous Coward
        Anonymous Coward

        Re: Backups, backups, backups!

        How much power/cooling do your disks cost to keep running? How much energy does that tape use on a shelf?

        It's horses for courses, if you've got a lot of data, tape is always gong to be best. That said, disk has an important place in backup.

        1. User McUser

          Re: Backups, backups, backups!

          How much power/cooling do your disks cost to keep running? How much energy does that tape use on a shelf?

          *shrug* I honestly don't know and don't particularly care (NMJ). All I know is when a idiot user accidentally deletes a file I can restore it from backup in less than a minute versus who knows how long from tape. Wall-clock time is all that anyone here cares about.

    4. J. Cook Silver badge
      Flame

      Re: Backups, backups, backups! (@ Brian Miller)

      "Imagine for a moment that, instead of stealthy malware encrypting all it finds, utility workers outside crossed the lines, and fried everything on the circuits. Instead of 120V on the line, imagine that it was briefly touched with 480V."

      Had something similar happen with a client for the company I was working for at the time- they had an electrician onsite who managed to put 220 to the ground line of one of the circuits briefly. It blew the power supplies on a pair of newly installed* workstations** and made the UPS protecting the server from power outages have a bit of a lie down. Fortunately, the server didn't have any major filesystem damage, and the UPS was fine once it was unplugged and plugged back in and restarted.

      Never heard what happened regarding who paid for it, but I expect the electrician's insurace took the hit.

      Fire icon, because... well, "i love the smell of burning diesel in the morning!" :)

      * The workstations were a couple months old

      ** I walked into the shop the morning that happened after they had brought the workstations in- they reeked of burned capacitors. They promptly send me out to look in on the server.

  6. No. Really!?

    Been there...

    About two weeks ago I was called in to consult* on a cryptolocker infection.

    It was ugly, like Trevor describes, users with local and network share files. All encrypted because it's network aware. They were running two daily backups, but just overwriting and no off-site media. Both backups had run and only had the encrypted versions. We turned up a 14 month old copy of the data from when a new server was put it. It was hard to tell the owner that was the best that could be done, and he took it pretty well - probably already knew.

    *confirm their existing/former IT vendor's verdict.

  7. Anonymous Coward
    Anonymous Coward

    BYOD is simply some little girl stamping their feet and throwing a temper tantrum " I want I want I want"!

    Yes I use the traditional desktop at work. Yes I can access said desktop anywhere from practically any device.

    I find no legitimate reason for allowing anyone to pick their own device!

    Of course if there is a true business need, I would not prevent it. But let's face it, we all know the types who will use ANY excuse as a business need.

    It's really sad and I only pity those who support BYOD.

  8. OMG It's me
    Meh

    Had this same issue just last week

    Had a seriously tech-illiterate ("What do you mean, Start button?") user from a client call up to say that something had appeared on her computer and was saying her files were encrypted.

    Needless to say a minor brownware download occurred, and so I nipped down to the site to have a look, not trusting remote support on a known infected PC. After figuring out how to terminate it (taskkill is invaluable here, as it launches two processes of the same EXE file to hold itself open), cleansing the registry and deleting the offending piece of excrement itself, we managed to figure out which files were infected - this had encrypted her networked My Documents, as well as VERY selectively encrypting documents on just one other network drive - it appeared to only mess up files owned by this user in particular, definitely not the standard published behaviour.

    $Deity bless Shadow Copy, since the client has a relatively small dataset we've set it to 3 snapshots a day, which has turned out to be an absolute lifesaver! Have also made a note to block execution from Outlook's temp directory, should've done this far sooner.

    I surprised myself, being uncharacteristically diplomatic when asked how this happened - apparently the documentation and day-long training on the network & standard security conveniently slipped out through the alternative cranial orifice - something that seems to be implausibly common among our clients!

    1. Anonymous Coward
      Anonymous Coward

      Re: Had this same issue just last week

      Shadow copies and backups are great to have for this.

      We had a site lose a third of thier network share to this before the plug was pulled and the machine cleaned up - shadow copy to recover the server to the last sane point, the site was back up pretty quickly. Incidentally, if your clients have an NT6 machine, but not previous versions enabled, try Shadow Explorer - it's magical. It's very nearly Previous Versions for those who forgot to enable previous versions, based on System Restore points.

      All AV software reinstalled, full scans run, site now clean as far as we can ascertain.

      Awful, awful malware.

      On the subject of backups generally, we enforce a minimum of three working backup disks - two on site, one offsite, or more depending on need (multiple offsite locations etc) - for any server role device we sell, from Netgear ReadyNAS type appliances to rackmount servers, and if they don't want to pay for the backup disks, we won't sell them the hardware, period. Because if there is a problem, they will come back to us and expect systems necromancy to be performed without backups. Which is just a waste of everyones time and money when it could so easily be avoided by having even a basic backup.

      And we certainly don't offer maintenance for sites without a proper backup system that is checked regularly, as dealing with hardware failures or other data losses scenarios is a massive waste of resources and has burned us in the past - spending a few hours recovering from a backup is a far better use of everyones time than trying to forensically piece together a blown server, especially if you have AD/Exchange/any other proprietary, business critical system involved. And yes, people do run DCs without backup disks. Just not when we get involved.

      Anon because our 'victim' was a high value client locally who wouldn't appreciate the publicity.

  9. Anonymous Coward
    Anonymous Coward

    Re: Backups

    Backups don't work, backups are crap, I keep banging on about this, you don't want a backup solution, you want a recovery solution.

    No-one in a company outside of IT (and even then, not that many) is really interested in backing up, they are interested in getting their work back when everything goes wrong. The more we talk about backups, the more we distract from the real issue. People don't care if their backups fail, they do care if their recoveries fail.

  10. Anonymous Coward
    Anonymous Coward

    I didn't even bother reading the whole rambling of this article.

    My stance, you got what you deserved.

    BYOD is the worse idea or concept anyone can possibly do.

    From a companies point, Your taking a high level risk to save money.

    From the employees point, why would you spend your hard earned money on stuff they should be supplying? What's next, your car? your own pens and paper? your own toilet paper?

    Hey, if your doing contract work, great. but...

    If your a company, and that employee walks, he takes everything he is working on with him, on his device. Nothing you can do. This is just one simple scenario.

    As an employee, you subject your equipment to their rules while under their employment.

    I'm a strong believer in separating the workplace from home. Never bring your job home with you! It makes no sense, and I mean none, that every year we complain about these companies (how much ARE they making and how much are YOU seeing?) and they expect YOU to supply them equipment to make THEM richer.

    Will never, never, never happen with me. If they think I need it, then it's on them, but not on my dime.

    1. Trevor_Pott Gold badge

      I know you're a tech god that doesn't even need to read an article before making completely misinformed comments...but YOU'RE AND YOUR. LEARN THE DIFFERENCE FOR THE LOVE OF YOUR OWN INFLATED EGO.

      Thank you, and have a nice day.

    2. ryanp

      Like anything else, there is a difference between a well planned and implemented BYOD and one that is not. We have a BYOD policy that allows users to access their work from any location from any device.

      We use MDM and VDI, so the environment is self contained. Users enjoy being able to use their own phone and not having to use two phones. In the office, users have thin clients. Outside of the office users can use any computer they please. Users enjoy being able to use the device that they already have and are comfortable with, as most already do, and not have a locked down second laptop. For user that have a need for a laptop and do not have one, we will provide it.

      Our users enjoy our BYOD policy very much as it gives them a lot of flexibility. We save some money on devices. Our environment is as locked as it would be if we did not have a BYOD policy.

      It is possible that your idea of a BYOD environment is not always mirrored by reality. It is possible that while you strongly believe in separating home from the workplace, that other people may have different beliefs.

    3. Pascal Monett Silver badge
      FAIL

      @ Taylor 1

      Next time you don't bother reading an article, don't bother answering either.

      You missed a chance to not look stupid like a fucking numpty.

    4. John Smith 19 Gold badge
      Unhappy

      @ Taylor 1

      "I didn't even bother reading the whole rambling of this article.

      My stance, you got what you deserved..."

      "..Will never, never, never happen with me. If they think I need it, then it's on them, but not on my dime."

      You are very proud of you stance on this, are you not?

      I know a lady who would like to meet you

    5. Anonymous Coward
      Anonymous Coward

      Why this rant about BYOD?

      Cryptolocker was introduced to my company by an email with a malicious attachment. At the time when a smart user forwarded it to me for checking there were only 3 vendors on VirusTotal that recognized it.

      None of my users were dumb enough to open the attachment but other sites had a bad time, with several cases of restored backups being overwritten by repeat infections even though the infected email was blocked within an hour of the first report of the suspicious mail.

      I don't think BYOD would have made the situation any better or any worse. Effective user training would have made an enormous difference.

      As someone who has too fat fingers and not enough patience to type on my company blackberry*, at home I use a VDI client running in a Ubuntu virtual machine on my Fedora box or - if that's not powered up - I use the VDI client on my Nexus 7. My company notebook usually stays in its bag because - well because it's Windows.

      I wish I could take the credit for setting up the VDI infrastructure but it was already set up and running when I was hired.

      *I only have a blackberry because I have to support users who choose to have blackberries. Sigh.

  11. John Smith 19 Gold badge
    Thumb Up

    "block execution from Outlook's temp directory"

    Now that sounds like one of those "Why didn't I think of that before?"

    Excellent idea. Thumbs up as I had not thought of this.

    In fact if this is a works (Windows) PC logically there should only be a few standard folders software should be running from.

    Everywhere else should be treated as suspect.

  12. Anonymous Coward
    Anonymous Coward

    Tech god with an ego? Fucking numpty? So, if my response is not agreed with it comes to this? My points are still valid, and all the childish name calling won't change the fact that byod is simply opening the door wide open for this, and worse, to happen. Next time it does, try the name calling, see how far that gets you.

    1. Robert Carnegie Silver badge

      You missed the "Free money for everyone who reads the rest of this article" offer then. :-)

      And you missed the cutoff time now. What a pity.

This topic is closed for new posts.

Other stories you might like