Endsight Blog

CryptoWall Case Study - IT Security and Process

Written by Samuel Hatton | February 27, 2015

Damages from a computer virus can be boiled down to how many people are affected, amount of downtime, and how long it takes to clean up the mess. This article consists of three cases of a nasty ransomware virus called CryptoWall.

CryptoWall is most commonly distributed by internet browser exploits and email. The virus encrypts random files over the course of a few hours and then pops-up a message that requests the infected user to pay a fee to recover the locked files. Endsight security specialist Steve Mason reported, "We've dealt with a dozen or more incidents. And it's not going to stop either. People are making too much money off of this."

Endsight Focus Mail customers don’t receive CryptoWall emails because our spam filter screens them. According to Steve, not one CryptoWall incident has come through Endsight Focus Mail so far.

The initial case of CryptoWall

On August 8th, 2014 we experienced our first case of CryptoWall. This particular client, whose identity will remain confidential, didn't have Endsight Focus Mail. A computer user received an email with the CryptoWall virus attached.  The user unknowingly opened the attachment. Over the course of the next 3 hours, the user’s computer files as well as files on the company's file server, totaling roughly 40,000, were encrypted and no longer accessible to anyone in the company. The computer user got a pop-up from the CryptoWall virus notifying them about the locked files and how to recover them after paying fees. Our client called us immediately after discovering the attack.

If instead, they had paid the ransom, there would be no guarantee of recovery. It's not wise to negotiate with terrorists.

Upon learning about the virus, we stopped the CryptoWall encryption process by remotely rebooting their computer. The 40,000 files were locked, never to be accessed again. Fortunately, there are ways to restore files from backup. For instances where the virus is discovered soon after the point of infection, Microsoft's tried and true Volume Shadow Copy Service (VSS) software does the trick. Or so we thought…

After the complete system restore our client was back on track. Weeks later our client uncovered some files that were still encrypted. This was a surprise, for VSS showed no errors in the recovery process. We then did our best to salvage the mess, but it was weeks later, and there was only so much that we could do.

There is no way to know for sure why these files were overlooked by the Microsoft VSS software, but we learned a valuable lesson that we have now added to our process: For any mass server backup, no matter how recent the virus attack, always restore from a robust backup solution.

So what were the damages?

For the company infected, 75 employees experienced 8 hours of downtime to 40,000 files on their company servers. We worked with them to restore their server to its original state. As mentioned above, some files were never recovered.

For us, we had spent over 20 hours working on the back end to clean up the mess. This "was a nightmare" as Steve Mason, our security specialist put it. Our work consisted of a series of backup restores starting with the initial restore, and then additional restores weeks later. We also took some time troubleshooting and pinpointing the virus.

With Endsight Focus Mail, they would have avoided this entirely. Even still, we did not charge the client for the 20 hours that we spent restoring their server. Instead, we took it upon ourselves to dig in deeper.

Enter the custom-built CryptoWall monitor

Steve went to work and created a custom CryptoWall monitor. Should CryptoWall ever again appear on the company's server or computers under our support, we will know about it right away.

After getting this in place, we extended the CrytpoWall monitor to the thousands of computers across the 125 companies whose networks we look after. This now remains one of many custom built monitors that is running on an ongoing basis through Endsight’s unique monitoring services.

Compare the initial case above with the next couple cases after we had the custom CrytpoWall monitor in place.

The next cases of CryptoWall

The next company also did not have the Endsight Focus Mail product. But what they did have was the protection of our new CryptoWall monitor. We had it running and monitoring each computer under our care. When they got the virus, they didn't even know about it. Instead, we were alerted first just 10 minutes after the CryptoWall file appeared.

What were the damages?

For the company infected, only one employee experienced about 30 minutes of downtime. Only 935 files were affected. We were able to quickly restore these files from Endsight Managed Backup. Thank goodness they had a robust backup solution in place; after all, we now know that VSS alone doesn’t fare too well when it comes to large restores.

For us, we spent only four hours of time cleaning up this attack. This was not billed to the client.

The third case of CryptoWall was very similar to the second case, with similar results. We found out 10 minutes after infection, just under 1000 files were affected, 30 minutes of downtime for one user, and minimal cleanup time on our part. This proved that our custom CryptoWall monitor is working and effective.

Conclusion

1. An anti-spam solution, like Endsight Focus Mail, is extremely helpful to any company who cares about minimizing computer issues, aside from securing their data.

2. A healthy backup solution, like Endsight Online Backup, is a must for any company who wants to guard their data and intellectual property from loss.

3. Computers under the management of Endsight continually reap the benefits of our security process. We dig deeper than most outsource computer network providers and create unique processes for preventing future disaster. We understand that preventing future problems may give us less help desk work, but we are not just in the business of break/fix, we are in the business of healthy networks.

Processes around security are important for any person or vendor that look after computer systems. To learn more criteria besides security when evaluating an IT vendor, check out our free guide on How to Select an IT Vendor. And if you want to have a discussion about your particular network simply schedule an onsite demo or phone conversation with us.