At about 9:30 yesterday morning a user comes to me saying that they would like me to take a look at an Excel file as it now corrupted and will not open. As I am attending to this another user comes and says that they can no longer access several Word documents with similar error messages – alarm bells are now ringing. Look at the files and sure enough they will not open – last modification dates are unchanged from expected, but comparing the files to a recent backup shows completely different contents.
Just as I am thinking that this doesnt just look corrupted, but encrypted the first user comes back saying that their email signature is now garbled. Whatever it is it is on that PC – so pull the network cable and almost immediately a window appears – we have been infected by CryptoLocker.
If you havent heard of this one yet, it is a very nasty piece of work. It basically encrypts any accessible documents on both local and shared drives and the only way to get them unencrypted is to pay a fee to get the decryption key. If the malware gets tampered with or is removed then the decryption key is destroyed.
Made the decision not to pay and have just spent the last 24 hours scanning, cleaning and restoring our system. We ended up having two infected PCs and thousands of encrypted files on our server drives.
We were lucky in that it was detected quickly after infection and the data loss was minimal. If our backup systems had not been up to date then it could have been a very different story.
Our antivirus was up to date at the time of infection and even a manual full scan would not detect it yesterday morning. Some info regarding CryptoLocker can be found in the link below:
Up to this point my home computer backups have just been copies of files on shared folders and external drives but now Im moving to something a bit more comprehensive.