Ransomware – a real and present danger

A few weeks ago, I had one of our clients open an email from a legitimate sender that contained a .zip file.

This wasn’t exactly normal correspondence, but it also wasn’t unusual to be contacted via email by this contact.

Shortly after, I was called and informed it appeared they had a virus. They said a strange pop-up warning message came up and they couldn’t get rid of it.

“Please don’t click anything anymore” I replied. I asked if it resembled their antivirus alerts or had any reference their web filter. They told me that less than a minute after the .zip file was opened, they got the 72-hour countdown screen from CryptoLocker stating that they needed to purchase the $300 encryption key or all data would be encrypted and useless.

I told the person to unplug the PC from the network and cut off the power. They would have to work from another station until we could send over someone to take care of it.

I walked out with the infected piece of hardware under my arm.

I got back to my office and started researching CryptoLocker while I allowed scans on the machine with no network connections. I downloaded the latest version of Malwarebytes to an empty flash drive and loaded that to the machine as the first scan finished with no results. I started a full system scan with Malwarebytes and went back to researching what I could about this particular virus, and testing nodes of shared files and drives.

It looked like it favors user-modified documents with MS Office, Adobe, and .txt type extensions. I followed file paths he had rights to and BAM every single document would produce the same error message: “This file cannot be opened because the file format or file extension is not valid. Verify that the file has not been corrupted and that the file extension matches the format of the file.”

If I forced a file to display contents it was a massive garbled mess of displayed encryption. I had to restart the Malwarebytes scan two times before I decided it was a waste of time. I needed to re-image the machine and move on to backups.

In that short amount of time while the machine was connected to the network, it had infected all of the documents on the PC and nearly 80 percent of the public drive the user had read/write access to, which was highly relied upon by employees of all types at that client.

This being Monday, I decided to restore from Friday. I wanted to skip any chance of reviving a virus I presumed dead on this one machine and stopped all current backup tasks.

I ended up copying the 214Gb backup file to a different location and gave a new service account access to it. It worked. I was able to browse the backup file tree and restore the portion that was corrupt.

All in all, the ransomware spread incredibly fast and all documents — be it Office file types, or .txt, .pdf, — were unreadable even if they did open. Lesson to everyone – pull that computer off the internet and network as soon as you can. Otherwise massive encryption for all network drives and cloud stored files are destroyed.