A friend of mine called me for advice yesterday. He had just gotten hit hard by ransomware.
If you’ve been keeping up with the news lately, you’ve probably heard about the explosion of the ransomware strain known as Locky. Locky is a very aggressive type of malware that encrypts files on a victim’s computers and crawls through network shares that are accessible to the victim. It is typically delivered by macros inside of Microsoft Word documents sent through email. When recipients open the Word document, they are prompted to enable macros, and when they do, the ransomware embedded in the macro executes and infects the victim’s computer.
This is what happened to my colleague, who works for another company. So far, we’ve escaped Locky at my company, but I’ve had my own experiences with ransomware, and I’d rather be the one giving advice on how to deal with it than the one who has to clean up the mess. And because of my own experience, I was able to give some helpful advice to my friend.
My first question to him was, “What is the current situation?” About 75% of the documents and important files on his company’s computers and file shares had been replaced by ones with “.locky” extensions. (His team had turned off the majority of end-user PCs to stop the spread of the infection). There was a text file in the affected folders with instructions to pay a ransom of half a bitcoin to purchase the decryption key, along with instructions about where to go to do so.
My second question was, “Can you restore the files from backup?” This is what I did in my own ransomware situation last year, and it was effective. I just deleted all the encrypted files and restored them from backup, making sure the source of the infection was neutralized, and never looked back. My friend was not so lucky. Files stored on the network storage system were backed up every week, so there wouldn’t be too much data lost, but restoring them would take about 36 hours. And most employees of his company had been saving important files locally to their My Documents and Desktop folders, where they were not backed up, and they insisted that getting those files back was essential to business.
At this point, you probably have the same thought that I and my friend had: Just pay the ransom. Half a bitcoin, at today’s exchange rate, is just under $210. Assuming that the criminals are honest and provide the decryption key as promised, they should get their files back. I don’t yet know how this will work out — he purchased the bitcoin and sent the payment but hasn’t yet heard back from the Locky operators. I hope he doesn’t have to call their help desk — I can’t imagine what that conversation would be like.
I asked about the source of the infection. After all, there’s little point in decrypting the files if the malware is still active. It may end up re-encrypting the files, putting him back to square one. But in their haste to stop the infection, they turned off most of the computers and hadn’t yet determined which one was doing the encrypting. I advised him to bring in a professional forensics malware specialist at this point, which he agreed to. In this situation, you want to be 100% sure you contain the situation.
I figure that, given the amount of time required to encrypt so many files, the malware must have been active for over a day. It probably started doing its nasty work in the late afternoon the day before, and everyone went home without noticing that files were being gobbled up. Hopefully, the decryption process will take less than a day. In the meantime, the forensics team can eliminate the infection. If it were me, I would probably throw away all the end-user computers and buy new ones!
I also advised my colleague to block macro-enabled Word (and Excel and PowerPoint) documents from being delivered in email, and I would advise you to do this as well. I have never seen anybody send a legitimate Office document containing a macro from outside a company. Sure, they might be used internally occasionally, but I think the odds of such documents that originate from outside being work-related are nil. And trust me, you don’t want to get Locky.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at jf.rice@engineer.com.