2/06/2015-Editor's Note: This story has been updated to correct an error regarding which versions of Windows include the Restore Previous Versions feature.
A small business owner and frequent contributor to Small Business Computing, Joe Moran has provided small business clients with IT consulting and tech support for nearly 15 years. In this article, he relates an experience he had dealing with a particularly virulent form of malware. He shares lessons learned and security tips to minimize your chances of suffering a similar infection.
I received the call shortly after 5:00 PM on a Friday afternoon. "All my files are gibberish," said my client, now retired from Corporate America but very active in daily stock trading. He closely tracks his investments via numerous Excel spreadsheets, and for about the last hour, he explained, every attempt to open one—or any of his other data files—all he got was error messages or a stream of unintelligible characters.
I immediately suspected what had happened—I hoped I was wrong—and after remotely connecting to and examining his Windows PC, I confirmed my suspicion. The computer had been infected with malware. But not just any malware—my client was a victim of encrypting ransomware.
Hackers, Extortion, and Small Business Data
If you're not familiar with this (relatively) new breed of malware, take time to educate yourself, because ignorance is definitely not bliss. Conventional malware is no picnic, but its mayhem is largely reparable—locking up a system (or bogging down its performance), bombarding you with pop-ups, redirecting Internet searches, hiding or superficially deleting files, and so forth.
But malware doesn't get more malicious than encrypting ransomware, which scans your hard drive for files with extensions that identify them as personal data —e.g. documents, spreadsheets, databases pictures, videos, CAD drawings, your QuickBooks company file, and so forth. It then encrypts them all with a randomly-generated encryption key, one long enough (typically 2,048 bits) that it would require many years of focused computing power to crack.
Though encrypting ransomware has been around for a while in various forms, it first became prominent in late 2013 with the appearance of CryptoLocker, which was soon followed by myriad copycats and other variants including CryptOrbit CryptoWall and CryptoDefense.
Regardless of the name, they all share one goal—to scramble your files and then extort you to buy the decryption key (usually $300 to $500—to be paid via cumbersome and shadowy digital currency) in order to regain access. Adding a sense of urgency in victims, most encrypting ransomware threatens to delete the encryption key if payment isn't received within two or three days. Either that or the ransom amount increases as time passes.
Small Business Security: Lessons Learned
In the case of my client, he'd somehow picked up a form of CryptoWall, most likely from an infected website or email attachment, although I can't say for sure. It's also worth noting that his PC became infected in spite of the fact that he was running up-to-date antivirus software.
LESSON 1: Anti-Virus software won't necessarily protect you.
I removed the Cryptowall infection without too much difficulty (in this case, a comprehensive anti-malware program called MalwareBytes, run in safe mode, did the trick), but that's a bit like closing the barn door after the horse as escaped, because removing the virus does nothing to unscramble the encrypted files.
Still, I didn't anticipate any trouble recovering those files, because my client's PC had been performing automatic daily backups to an external hard drive via Windows Backup for the past six months (which we had set up at my urging). I thought recovering the encrypted files would be a simple matter of restoring them from the most recent backup. But when I tried to kick off the restore process, Windows couldn't read any of the backups.
A closer look at the backup drive revealed that it contained files labeled decrypt_instruction in every folder, a telltale sign of the CryptoWall malware. That file name can vary depending on the type of infection. Although the drive had been connected to the PC at the time of infection, CryptoWall was not known to encrypt the kinds of files (such as ZIP, BIN, WBCAT, and VHD) that Windows Backup uses. Yet that appears to be exactly what happened.
Lesson 2: Backup drives can be vulnerable while they're connected to the PC.
With the backups out of commission, things looked bleak, and I did not relish telling my client that his choices were to go through the trouble and expense of paying the ransom in the hope that he would receive a decryption key (of course, rewarding criminals for their activities, while expedient, just encourages them), or mourn the loss of his valuable data.
A Lucky Break Saves the Data
As a last resort, I hoped that Windows' Volume Snapshot Service or VSS (a.k.a Shadow Copy) might be able to save the day. This operating system feature, which automatically squirrels away a hidden copy of every file on a daily basis (sometimes more often than that), forms the foundation of the Restore Previous Versions feature in Windows 7 and Vista, which lets you restore older versions of files or folders.
But a problem still existed. While Shadow Copy makes its hidden copies on every version of Windows, the Restore Previous Versions feature isn't available on Windows Vista Home Edition, which happened to be the operating system on my clients PC. (It is available on Business/Professional versions of Vista and all versions of Windows 7.)
Fortunately, this was a relatively easy obstacle to get around, thanks to a free tool called ShadowExplorer, which lets you browse and access the shadow copies of any file or folder on any Windows PC. It's also a more convenient way to access shadow copies than using Restore Previous Versions. By pointing ShadowExplorer to the locations where my client stored his files, I exposed and recovered versions of his files that existed about four hours before the infection. My client managed to get his data back, losing only a handful of very recent changes to his files.
Lesson 3: Sometimes you have to rely on luck.
Catastrophe averted. But it could easily have turned out differently, because many forms of encrypting ransomware run a hidden command to purge all the shadow copies on a PC in a deliberate attempt to preclude their recovery. For one reason or another such attempts are not always successful; had it been in my client's case, nothing short of a time machine or perhaps a futuristic quantum computer would have retrieved his data.
How To Minimize Encrypting Ransomware Risk
I wish I could tell you how to be 100 percent safe from the scourge of encrypting ransomware, but there's no practical way do that. Still, there are ways to minimize the risk of infection, and to minimize the scope of the damage in the event that one occurs.
- Run up-to-date anti-malware software (sadly, that's not as obvious to some people as it should be). But more importantly, do so in conjunction with a firewall/security software that automatically blocks connections to known malicious websites and IP addresses. (OpenDNS Umbrella is one example; click here for a review.) This may prevent an infection from "phoning home" to a command-and-control server for the encryption key it needs to start wreaking havoc.
- If backing up to an external hard drive, don't leave it connected to the PC. Or, use a second drive to make periodic extra backups, but keep it disconnected whenever it's not backing up.
- If you can avoid it, don't map shared folders on a server to your PC using drive letters. If you get infected, the contents of any such folders will be encrypted. A safer alternative if you can see the resource in Windows Explorer: right-click it and choose Create Shortcut.
- Don't solely rely on online file synchronization services (e.g. Dropbox, OneDrive) to protect your important files, because this will spread the encrypted file copies via the cloud to your other devices. Similarly, if using an online file backup service, be sure it retains older versions of your files; you don't want the automatic backup of an encrypted file to overwrite the only good backup you have.
But above all, the best advice is to take five or ten seconds to STOP, LOOK, and THINK before you click on something, particularly if it's a link or attachment in an email. Those few seconds may seem like an eternity in the moment, but it's nothing compared to what you'll lose if your computer gets infected and you don't have a bit of luck on your side.
Joseph Moran is a veteran technology writer and co-author of Getting StartED with Windows 7, from Friends of ED.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|