When Malware Strikes, What is Your Backup Plan?

Lessons Learned from the CryptoLocker Outbreak

Jeff Mansir, Risk and Business Advisory Senior Manager
September 2014

Imagine: a criminal has taken control of something you value, forcing you to determine how much you are willing to pay to get it back, and whether you are willing to do so. From this unenviable position, you consider rewarding the very behavior that has created your quandary.

Most days at work are not quite so dark… but for some unlucky business in the past year, this dilemma was presented to them in the form of CryptoLocker malware.

First, a bit of background: CryptoLocker is malware type known to encrypt files based on extension type with public/private key cryptography. When activated, the malware encrypts files stored on local network drives with a paired private key stored on the malware’s control servers. The malware then displays a nasty message offering to decrypt the encrypted data IF payment is made by a stated deadline to the malware hostage-takers. Payment is often requested in Bitcoin.

The malware itself is usually easy to remove, but files remained encrypted within a high-factor RSA encryption scheme. Even with skill and resources, cracking the encryption key is not a viable option. By the middle of 2014, the botnet used to propagate this malware was shut down, the private key database captured, and a mechanism for decrypting files was established. Before this time, some users paid the ransom, rewarding the criminals. Some of those who paid were able to decrypt their files. Many, though, either paid but were not able to decrypt their files, or did not pay and lost all of the encrypted data.

So, how does one “win” from such a disadvantaged position?

  1. Data backups: It is much easier to recover from a malware attack when a fully backed-up and retrievable data copy is readily available and restorable. Once the malware is detected and eradicated, having a clean, complete copy of files enables restoration back to normal with minimal downtime. A strong backup regime includes all files needed to rebuild, and makes sure that they are restorable. Finally, make sure the backup copy exists outside of all mountable drives, outside the reach of CryptoLocker.
  2. The Cloud: Responding to a malware infection is a great example of an instance in which a redundant, patched, malware-free copy of data looks mighty appealing. Done right, externally-hosted data copies can help reduce the concentration risk inherent in a typical local area network and provide options in a crisis.

Having strong patching and antivirus strategies can play a role in preventing malware infections. Being mindful of remote access onto the local area network (such as from employees’ home computers) is critical to reduce risk of malware introduced to the network from users working remotely, such as those working from home. Be sure to block file types known to be used as malware vectors (such as .zip), or be prepared to block them quickly if a threat is known.

Like many forms of malware, CryptoLocker is typically spread through infected email attachments. Never open email or attachments you aren’t expecting. Avoid forwarding your personal emails to work.

For one client we worked with this past year, the result was a best-case scenario: the backups were uncompromised, restored without issue, and appeared to be complete. Business resumed within a few days of the outbreak; in the meantime, they realized just how dependent they were on a few key spreadsheets and files. It was a long couple of days.

So, test your backups frequently, and be mindful of emerging IT threats. Don’t be afraid to call in resources when necessary, and consider cloud-based solutions – where and when it makes sense for your organization. Several copies of your data, well-secured, dispersed, and available, make solving the malware dilemma a much easier process for your business.

For additional information and guidance on detecting and preventing fraud, please contact Jeff Mansir or your BNN advisor.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.

IRS CIRCULAR 230 DISCLOSURE:
Pursuant to requirements imposed by the Internal Revenue Service, any tax advice contained in this communication (including any attachment) is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code or promoting, marketing or recommending to another person any tax-related matter. Please contact us if you wish to have formal written advice on this matter.