A little over a year ago, the owner of a small machine shop – let’s call him Bill – was looking for a new employee. After Bill posted on Indeed, Craigslist and other job-hunting sites, an applicant sent him a resume. The only problem was that this resume was infected by Cryptowall.
What is Cryptowall?
Cryptowall is a form of ransomware that encrypts your files and requires you to pay for the data to be decrypted. Even if you pay the ransom, however, you are still at the mercy of the cybercriminal using Cryptowall against you, as decrypting your files is never a guarantee. Ransomware has hit a variety of business sizes and types, including machine shops like Bill’s, churches, hospitals and even IBM!
When Bill opened the Word document he received from the applicant, the file was blank except for a banner that prompted him to “Enable Macro.” Bill enabled the macro, but the file remained blank. Little did he know that he had just initiated the ransomware process. Within an hour, Bill was unable to open his files, and neither Word, Excel nor PowerPoint were functioning. Bill called MyITpros to explain the symptoms, and within five minutes, I had identified the issue and determined that the source was the “resume.”
To pay or not to pay
After quarantining Bill’s system, the fun part began: identifying the impacted areas and initiating data recovery. Although Cryptowall had originated on Bill’s system, it had spread to all his mapped drives – and since Bill was the owner of the company, he had more access than the average user. The public share? Encrypted. The machine shop share? Encrypted. The accounting share? Encrypted.
After discussing the pros and cons associated with Bill sending money to unlock the data, the decision was made not to pay. Why? Although the criminals were holding Bill’s system hostage, MyITpros had been managing his company’s backups. Specifically, we used an incremental backup service called ShadowProtect from StorageCraft, which was firing every 15 minutes. This meant ShadowProtect saved every file that was changed within 15 minutes of it becoming encrypted.
The next step was to narrow down the recovery time. Bill said he started reading resumes around 3 p.m., but was unsure of the exact time he hit “Enable Macro” on the infected resume, thereby triggering the ransomware. I received the call from Bill at 4:20, so by mounting the backups for every 15-minute increment between 3 o’clock and 4:15, I determined that the infection existed at 3:45 but not at 3:30. When Bill’s shop closed at 5 o’clock, I began recovering the encrypted files from the 3:30 backup. By the time the shop opened at 8:30 the next morning, the files had been fully recovered.
Ransomware can come at you in many different ways, and it won’t always take the form of an obvious email phishing scam. In this example, Bill did not realize that a virus could be encrypted in a Word document, and the hacker was smart enough to disguise the ransomware as a legitimate-looking file type that Bill would not treat with suspicion. However, it’s important to acknowledge that no matter the level of user education, ransomware can and will slip through the cracks. Even if you have the best antivirus program and the most secure firewall, your backups are still essential to security and recovery.
Cryptowall, NotPetya, WannaCry- we have seen it all! Check out our related posts on security to make sure you are up on all the latest information! To find out more about MyITpros' security services, especially our new encryption service, contact us!