Cryptolocker Fix: What do I do if my computer is hit by Ransomware?

Last Friday afternoon, at about 4 o'clock (why is it always Friday afternoons? Do computers somehow know we're about to head off for the weekend?), we received a hasty phone call from a hotelier in Belfast whose network was suffering under the weight of the third Cryptolocker attack in less than a week.

Having already fought off two attacks in the previous few days, it was clearly time to get an engineer out there. After advising the IT duo to physically unplug everything in the infected site - and cutting off the connections to the hotel's other premises - Service Delivery Manager Danny hopped on the next flight to go and bring the hotel's network back under its control.

So...what is Cryptolocker?

Just to set the scene in case you haven't heard of Cryptolocker, it's a seriously sneaky piece of malware that crawls your network, encrypts your files and can render your entire business defunct within a matter of hours. The perpetrator typically asks for a 'ransom' to be paid in order for your files to be restored - although whether they actually restore them or not is up to chance, and with RSA 2048-bit encryption often used, there's no hope of correctly guessing the key to unencrypt the files yourself. You can imagine the degree of panic if such a virus were to get onto your network, and that's why it was so important to get Danny there to do damage limitation as quickly as possible.

What can you do about it?

Step One: Containment

Once Cryptolocker is on your network, the first thing to do (immediately after not panicking!) is to contain the virus. Danny's suggestion to unplug every cable served the purpose of stopping the virus from being able to spread any further and by taking it all offline, it halted any chances of any other viruses getting in.


Step Two: Scan

Because most antiviruses won't identify an infected file as a threat, Cryptolocker is exceptional at hiding in plain sight. Once on your network it can deploy from any infected file and will always crawl as far as it can for maximum damage. Therefore, once Danny had contained the virus in a particular part of the network, his next task was to conduct a series of security scans to find traces of Cryptolocker. Although time-consuming, it's a sure-fire way to pick up every trace: essential to a clean, healthy network as it only takes one infected file to kick the whole thing off again!


Step Three: Remove

Danny kept the network offline throughout Saturday whilst he meticulously removed all traces of Cryptolocker. He was able to keep the hotel's booking and customer service systems online so from a hospitality point of view, there was little to no impact. By Saturday evening Danny had tracked down and removed all of the infected files. You can probably guess what he had to do next...and no, it doesn't involve getting much sleep!


Step Four: Reinstate

Step Four is just as critical as the initial containment: if you get this bit wrong, Cryptolocker can be back across your network in a matter of hours. After bringing the network back online - whilst keeping it isolated from the hotel's other sites - and restoring safe copies of all damaged files from the hotel's Backup as a Service provided by AAG Systems, Danny spent his Saturday night watching every aspect of the network to make absolutely sure it was clean. By Sunday afternoon (with a decent amount of coffee on board) Danny was able to reactivate the VPNs between the hotel's sites so they could operate almost at full scale once more, and give the in-house IT team sufficient knowledge to know what they needed to do over the following days to continue their network's safety.


Step Five: Monitor

Danny headed back to AAG HQ on Sunday evening after a full-on but successful weekend of Crypto-busting. He continued to remotely monitor their network to keep an eye on the situation and make sure there were no vulnerabilities that would allow Cryptolocker to return. This entire scenario played out with minimum disruption and loss to the business thanks to the quick actions of the hotel's antivirus provider ESET, the in-house IT team and Danny from AAG. Without the support of a tried-and-tested Backup and Disaster Recovery service and access to a skilled engineer, it could have been a very different story for this customer.

You can read more about our AAG Backup & Disaster Recovery Service here, or check out our poster for tips on how to avoid getting the Cryptolocker virus on your PC.