First thing this morning I had a phone call from a client about a virus on their Windows PC. Virus removal is not a service I provide but I have removed a few over the years for clients who were unable to do so themselves.

Thankfully, these occasions have been very few and far between, removal has been straightforward enough and any damage has been minimal. Today was a different matter.

The “virus” in question was in fact CryptoWall - a type of malware called ransomware. Removal was straightforward enough but the damage was substantial and the worst malware I have come across. What this malware does is encrypt files with certain file extensions and creates additional files with instructions on how to obtain the decryption key. Without the key there’s no way to open the files.

In this particular case the files in question included photographs, text files, Microsoft Office files, pdfs, you name it - it was encrypted.

Stand and deliver

Now here comes the sting. In order to obtain the decryption key the malware demands that you pay a ransom of $500 using Bitcoins. They also provide instructions on how to use the Tor browser to pay the ransom so that there’s no way of tracing the criminals.

Now this is where backups should come into play. First of all Windows Restore. Nope, unfortunately the malware also deleted the restore points and shadow copies of the files.

Secondly there were backups, albeit not all that fresh, on an external usb hard drive. Again, no luck. As the external hard drive was connected to the pc at the time of the infection all of the files on the hard drive were also encrypted.

Dropbox to the rescue

Fortunately a lot of the damage was mitigated by the fact that I had previously recommended Dropbox to my client in order to have an offsite backup of their files and to enable synchronisation between machines in different locations.

Although the files within Dropbox were also encrypted, Dropbox keeps snapshots of all changes made to your files within the last 30 days meaning that we were able to revert the changes made and restore working versions of these files.

Whilst not ending up a complete disaster the loss and damage is still quite substantial despite having up to date anti-virus software, despite keeping some backups and despite trying to be careful browsing the internet and opening mail.

So what could have been done differently?

Number one obviously would have been even more vigilant as to which website had been visited or emails opened—we still don’t know how the infection ocurred—although it may well have been the case that a reputable site had been hacked.

Number two would have been to have all of the files within the Dropbox folder. In this instance it would have been a piece of cake to restore them all.

Thirdly and finally, would be to have kept regular backups on the external hard drive (if not on two or three external drives) and to detach the drive from the pc once backup procedures were complete. It would also be prudent to disconnect from the internet whilst carrying out these backups.

External hard drives are so cheap these days (1TB drives can be bought for around £40) and offsite backup services such as Dropbox can be used for free (for 2GB of space, 1TB costs $99 a year) that it makes much more sense to do put more stringent backup procedures in place than to put money in the hands of criminals.


comments powered by Disqus