This week one of my clients was hit with it. Thankfully as the data is stored on the server where it is backed up daily the damage was minimal
The e-mail provider supposedly scans messages for viruses and the PC had an antivirus. Didn’t help any. It seems that if a virus comes in an email and the user chooses to open it in a lot of cases that overrides any security measures one may have. So the virus encrypted documents both in my documents folder and the shared drive the user had access to, then the countdown popped up. At that point the antivirus finally woke up and deleted the virus 🙂
As no user data was on the PC and there were no complex software configurations to consider I simply reformatted the PC, reloaded the programs and in a couple of hours the user was back up and running. Scanned the server for viruses, came up good.
2 important lessons to learn from this:
1. It is vital, critical, most important, whatever term you want to use that you have a good backup, that you have multiple backup copies and that someone always watches that backup to make sure it works. I have trained a couple of users at this site to check backup status and when one day it logged “completed with warnings” my phone rang off the hook. Good for them! So when this occurred I simply took the backup drive that was unplugged during the infection and restored everything from it within minutes.
2. Security. First use hidden shares and implicit deny type permissions. There actually are a lot of shares and data on that server. But all of them other than the global shared folder are hidden and access is configured on need-to-know basis. The virus was unable to find or connect to those.
Second what I did after that was to load CryptoPrevent on all the PCs. I wish I have thought of that whole idea myself, the idea to alter system policies like that is brilliant. I got to inadvertently test it myself as it blocked me from installing a program from manufacturer-supplied archive.