When restore of a backup was the only option!

This week has been a long week due to a clients miscalculation and their unintended click on a web site….

On Monday a panicked call from a client advised they were unable to access any documents on their PC, followed by another call saying the same was happening to their server and other PC’s.

Our immediate advice was to shutdown all PC’s and the server to reduce the damage. It later turned out the damage had occurred 2 hours earlier, but good advise all the same.

It was quickly concluded that they had received an email from “Tesco Bank”, with a link to a web site which had prompted a download. Their Avast antivirus had stopped the virus payload from installing, but the client had over-ridden the warning and installed anyway. Within seconds they had lost access to files and found them renamed with the addition of .encrypt as the extension. They were seeing a warning screen that “Cryptolocker” had infected their PC and was encrypting there data and that if they paid ¬£300 they would be de-crypted. The client advised they would not being paying up.

The virus was soon noted as a Crytolocker variant, which did not work on the free de-crypt site https://www.decryptcryptolocker.com/.

Only 2 PC’s on the network of 8 were locally affected by the encryption and it is believed that one PC had caused the issue where the virus was found. A second PC had spyware linked to the encrption and had encrypted files. Unfortunately the PC with the virus had admin rights over the server.

The Solution!

Not a good day, but after multiple scans with Avast Endpoint and Malwarebytes the PC’s and network were deemed clear of the virus and spyware, which left the matter of 35Gb of data to restore.

After many hours of attempts to de-crypt the data the only option was to restore the clients data from backup. Fortunately we were using a local cartridge backup and online backup so were able to restore data from a few hours earlier, so minimum data loss, in fact only two files were lost.

What was learnt?

Firstly, there are still viruses and spyware out there which can seriously damage a business.

Secondly, multiple backups are a must. The client noted that files which were open were not encrypted. We also noted that the files covered by Shadow copy (Previous version), could be restored, although this may have been affected if the virus had been given more time. System Restore did not sort the issue, we later found out the client had tried this before the call.

Third, our online backup solution, which we would have thought would have been an issue with the encryption was in fact ready for the issue. We were concerned that the encrypted files would have been backed up over the originals. The company confirmed that if we supplied a date the encryption occurred they can restore “All” data to prior to this.

Fourth, clients having too many admin rights on PC’s to allow viruses to install .exe files is not a good thing. Also to reduced the access to only folders needed rather than to allow access to all company folders. This could be a little restricting but the issue would have been more containable.

Fifth, Clients will over-ride the antivirus given chance. The client had only local AV so had full access over the program. In a majority of cases the AV is server controlled and these permissions would be blocked.

Sixth, did I mention a good backup?