Yet Another Crypto-wall Virus

Blog / Yet Another Crypto-wall Virus

It all started when we received a call from the Client.  It was a new Client who was referred to us by one of their neighbour municipalities. It appeared their accounting system and Email were not working. We did a very preliminary investigation and found there were serious problems – the accounting databases (SQL Server) and Email files (Outlook PST) were encrypted.  We immediately suspected a ransomware virus – although we had never seen one targeted at those specific file types.  Normally, ransomware attacks the common files like Word, Excel, PowerPoint, and PDFs.

Things went from bad to worse when we started looking at their Account Security settings and backups. The backups were erratic, and the account security settings were weak.  Both provided an opportunity for the hacker to gain access and do serious damage. The hacker used a Remote Desktop account that had a simple (Admin) account name and the Client’s corporate name as the password – very easy to guess.  Once in, they were able to manipulate all of the critical server system and data files; everything was wide open for them.  Of course, they planted a virus that encrypted the target files, causing massive damage to the Client’s critical data.

We suspect the hacker was in the system for several days!  It’s only when the accounting and Email stopped working that the users had any idea there was a problem.  It’s still not known if the hackers stole any critical information – or planted time-bombs that could be remotely activated in the future.  In other words, it was a mess!

The only safe method of restoring the network was to rebuild an independent new network from scratch – setting up a new central server (Domain Controller), re-creating the user accounts, installing a new copy of the accounting system, and carefully restoring cleansed files. It was a massive job. As I’m writing this, the accounting software vendor is just finishing the configuration of the accounting files.

A full week has gone by, and while the system is partially restored, there are some Email history files that will never be recovered.  If they are like me, I keep a lot of valuable corporate information in my past and present Emails – and I don’t want to think about what it would be like if I lost them.

So, best practices for protecting your network from this new virus are the same as protecting yourself from the old viruses:

  • Limit the number and use of Remote Desktop users.
  • Use non-obvious account names
  • Use strong passwords
  • Implement VPN (Virtual Private Networks) on Remote connections
  • Implement two-factor authentication on Remote connections
  • Insure your backups are working and test them frequently
  • Store copies of your backups offsite

It will help keep your network safe and keep our techs in their own beds at night.

Please contact me or your Primary Tech if you would like more information on how to protect your organization from malicious ransomware attacks.

 

Thanks,

Dave White 
TRINUS