Case Study: Cryptolock Ransomware

picture of a virus alert warning, not real

July 11, 2016

Keeping your business’s data safe from computer viruses is crucial, and part of that is understanding the latest threats to your network. A virus known as Cryptolock, a type of ransomware, has been infecting businesses through email and can cause crippling data loss. Our recent experience with one of our large IT clients can teach some valuable lessons about how to keep your organization safe and minimize any losses from infections.

What is Cryptolock?

Cryptolock is a very common type of ransomware, a virus which infects your computer and secretly encrypts office documents, images, and important files. Once the files are locked, you will receive a message, or “ransom note,” explaining that you cannot access your files unless you pay a ransom.

Once the files are locked, it is impossible to retrieve them. Even if your antivirus software manages to find the virus and delete it, the ransomed files will still be locked with encryption.

What Happened?

Our client called us with a problem: some users had noticed their important files were missing, and then ransom notes started to appear on their computers, demanding they pay to unlock the files. By the time we were made aware of the issue, the virus had locked 10% of the files on their server.

It started with suspicious emails containing subject lines like, “Here’s that document I was supposed to send you,” made to look like a reply to a previous email. When they clicked on the files, nothing would open, but the infection began.

The Cryptolock started on their workstation computers, staying hidden as they continued to work. As they accessed other files, the virus spread through the IT infrastructure and into their network, infecting their main file storage as well as user computers. Once the ransom notes started to appear, everyone realized they had a serious problem on their hands.

What Did We Do?

Unfortunately the only remedy to ransomware infections is to pay the ransom or restore an uninfected backup of the system. We started by identifying the type of attack and communicating the situation to the staff.

After the staff was made aware of the issue, we quarantined 191 user computers by taking them off the network to stop the virus from spreading further. Twelve computers were confiscated and rebuilt to remove all traces of the virus. Finally, we restored the server to its state 2 days prior to the initial outbreak. In total, they were in quarantine for 36 hours and lost 2 business days’ worth of data and transactions.

What Were the Next Steps?

Once everything was restored and virus-free, we worked up new user policies to be implemented. We identified a weakness in their old policy, in which they had given admin access to most employee computers. This allowed Cryptolock greater access to the network, so our new policy greatly restricted admin access to a select few users.

We also reviewed their email scanning policy and reinforced their email protection to help catch dangerous emails before they could be opened.

How Can You Avoid This?

Antivirus protection is important, but even a modern, updated antivirus program can have trouble detecting the latest ransomware. With over 850,000 new viruses being discovered every day, it’s a literal arms race to stay protected.

Our client’s troubles with Cryptolock taught them several valuable lessons. First, user training is critical. The outbreak started because unknown email attachments were opened. We created a new, strong domain policy to not allow admin access for most of their staff members. We also helped them develop a more comprehensive outbreak procedure to teach their staff correct procedures in the case of another infection.

We had already been working with the client to maintain their backup systems, which were critical in restoring their office to a working state. Without good backups they could have lost years of data – a catastrophic loss for any business. With our help, they only lost 2 days of data.

What Will Your Strategy Be?

Strategy can help you be prepared for a ransomware or other virus attack. We can review your technology policies to search for any vulnerabilities, such as limiting admin access to a few key employees. If your procedures for virus outbreaks are outdated or non-existent, we’ll create policies to teach your users how to help identify an outbreak and minimize the damage.

Contact Strategy today to take the first steps in securing your network and training your staff against attacks. We’ll develop a strategic plan to protect against an infection, and we’ll upgrade your backup systems to minimize any losses that might occur.


Special Offers

Blog Tags