Cryptolocker is a now well-known type of virus that can be particularly harmful to data stored on computer. The virus carries a code that encrypts files, making them inaccessible to users and demands a ransom (as bitcoin, for example) to decipher them, hence their name “ransomware”.
Cryptolocker type viruses infiltrate by different vectors (emails, file sharing websites, downloads, etc.) and are becoming more resistant to antivirus solutions and firewalls; it is safe to say that these viruses will continue to evolve and become increasingly good at circumventing corporate security measures. Cryptolocker is already in its 6th or 7th variation!
Is there an insurance policy?
All experts agree that a solid backup plan is always the best prescription for dealing with this type of virus. But what does a good backup plan imply, what would a well-executed plan look like?
The backup plan must be tested regularly and preferably include an offsite backup copy. Using the ESI cloud backup service is an easy solution to implement.
The automated copy acts as an insurance policy in case of intrusion. Regular backups provide a secondary offsite datastore, and acts as a fallback mechanism in case of malicious attack.
What to do in case of infection?
From the moment your systems are infected with a Cryptolocker, you are already dealing with several encrypted files. If you do not have in place a mechanism to detect or monitor file changes (eg a change of 100 files per minute), damage can be very extensive.
- Notify the Security Officer of your IT department.
- Above all, do not pay this ransom, because you might be targeted again.
- You will have no choice but to restore your files from a backup copy. This copy becomes invaluable in your recovery efforts, as it will provide you a complete record of your data.
After treatment, are you still vulnerable?
Despite good backup practices, you still remain at risk after restoring your data.
An assessment of your security policies and your backup plan by professionals such as ESI Technologies will provide recommendations to mitigate such risks in the future. Some security mechanisms exist to protect you from viruses that are still unknown to detection systems. Contact your ESI representative to discuss it!
Roger Courchesne – Director, Security and Internetworking Practice – ESI Technologies
This was the 13th edition of this annual event organized by Comtois-Carignan. ESI Technologies participated in the Industry Day on Tuesday April 26 during which 34 presentations on topics related to telecom, IT and contact centres were offered.
For a third consecutive year, we presented a conference this time on threat evolution and data protection. Installing security devices such as firewalls or first-generation IPS was before common and sufficient to protect organizations against threats that might affect the operations of a company’s activities. Today, the rapid evolution of malicious activity requires installing new solutions to better protect our assets. Our presentation provided an excellent overview of these solutions: next generation firewalls and IPS, protection systems against advanced threats, security for web browsing, email security and unified authentication services.
Participants were able to ask questions about these pioneering technologies, protection solutions that provide control and visibility to better react to a threat detected in the environment.
During the industry cocktail, 42 partner booths were available for participants to discuss technologies and service offerings. This cocktail formula is highly appreciated by participants, giving them the opportunity to discuss and share views on presentations of the day.
If you missed the ESI presentation, please contact us so we can share its content with you.
Roger Courchesne – Networking and Security Practice Manager
In the summer, I enjoy doing volunteer work as a soccer coach for kids and teenagers. I do the same in the winter when hockey season begins. I find it challenging to bring different personalities to work as a group towards achieving common goals as a team. Being a coach doesn’t come without training however. And I remember one trainer commenting on being a coach as he said “if a given player isn’t doing what you asked him to, the first question you need to ask is: did I tell him? The second question is: did the player understand? The third: did I explain it well?” He ended up by saying “if your answer is yes to all three questions, then repeat as often as necessary”.
When I found myself with a client’s network manager talking about how sophisticated phishing campaigns have become, I remembered this wise comment about that coach trainer. This network administrator in particular admitted than even his seasoned team of network managers came close to being caught in one of these sophisticated phishing campaigns. It was a well-designed one using their GoDaddy account. It’s only when someone took the time to check the links that they noticed something fishy. The average user might very well have fallen victim of this. With regards to end users, ask yourself: “if a given user isn’t doing what you asked him to with regards to suspicious emails, the first question you need to ask is did I tell him? The second question is did the user understand the potential consequences? Thirdly, did I explain it in terms the average user understands?” I end up by saying “if your answer is yes to all three questions, then keep repeating as users will forget over time and new users become part of your community”.
Charles Tremblay, Account Manager
The manufacturer Nutanix sent a notice to its integration partners to inform Nutanix customers of a possible problem with their data integrity. This advisory affects NOS version 4.0.3 and later and is applicable only to customers that have met all the criteria below:
- On disk deduplication is enabled
- Using: Nutanix Protection Domains (all Hypervisors) orVAAI plugin (applies only to VMware ESXi Hypervisor)
- Using NOS 4.0.3 or higher
If you are a Nutanix user, it is important that you verify if your environment is affected by this advisory.
Customers should avoid the configurations that are susceptible to this issue. Please contact your ESI representative if you wish to validate with one of our experts.
An update to this field advisory update will be sent on March 11th with details of the NOS release that will resolve this issue.
A couple of weeks ago I was enjoying a business breakfast with a client when things turned bad for him. It seems it was a bad omen to talk about the challenges he was facing with regards to I.T. security since as we were talking, he received a text message from his staff informing him that they were hit with “CryptoLocker”. CryptoLocker encrypts a victim’s documents and demands a ransom for the decryption key usually paid in Bitcoins. In its Internet Security Threat Report 2014, Symantec “…noticed a significant upsurge in the number of ransomware attacks during 2013. During January Symantec stopped over 100,000 infection attempts. By December that number had risen more than six-fold.”
Not only it is it not a myth, it has become so widespread that according to the same report, “attackers have concluded that US$100 to $400 is the optimum ransom amount, and they will move to adjust their demand to avoid pricing themselves out of the market” and so my client was asked a 500$ ransom. Luckily for him he chose not to pay and opted for backups and cleanups as our friends from SourceFire has let us know that once you pay, you are being put on a list of people that are nice enough to pay the ransom, and therefore become subjected to further attacks.
Even though ransomware does not make up a huge percentage of overall threats, it is not a myth as my personal experience shows; and despite working for a company that has the expertise to help with the cleanup operations it is not in such circumstances that I enjoy being introduced the new clients.
Charles Tremblay, ESI Account manager