Workplace hit by cryptolocker virus

Soldato
Joined
30 Sep 2006
Posts
5,280
Location
Midlands, UK
So, last wednesday evening someone (we think from the accounts dept) opened an email with a pdf in and unwittingly launched the crytolocker .coverton virus.
It spread across all our servers, physical and virtual and even hit our online backups that were password-protected. Our support team are still puzzling over that one. It also infected our onedrive accounts and business dropbox account which had client shared folders in it. Accompanying the virus was the usual text file detailing how to have the decryption keys sent to us; basically holding us to ransom for a bitcoin. We wouldn't pay on principal (funding cyber terrorism) and that reports on the net claim that 60% of the decyrption doesn't work.
Luckily we have datacentre backups, but imagine how long it takes to copy back 15TB of data onto USB3 drives :rolleyes:
One week later, and a 93hr working week for me, including a 30hr shift on the day we found the virus, and we're about back to normal.
Our support team said that since 23rd March which was when the virus was first reported to have infected people globally, that they'd had about 8 other clients hit in the same way and nearly all came from the accounts dept. Not a great reach of the imagination really if the email is designed to look legit then spoofing a familiar email address with an attached invoice will likely increase the chance of someone clicking on it.

So, we've increased our web content filtering security, changed antivirus. But, no matter what you do the common denominator will always be the human who presses a button without thinking twice! :(

So....that was my week from hell.
How has yours been?
 
Good work on liaising with God and extending the working day as well :)

Seriously that sucks. We're hit with Cryptolocker relatively frequently at work. Luckily we have good backups.
 
At my workplace, introducing a virus onto a PC and/or onto the network would be a disciplinary. Ignorance wouldn't be a defence because we have to read up on the various company policies, of which one of them is internet usage during work hours.
 
At my workplace, introducing a virus onto a PC and/or onto the network would be a disciplinary. Ignorance wouldn't be a defence because we have to read up on the various company policies, of which one of them is internet usage during work hours.

Same here. Our client is a German bank and their tolerance for ignorance and stupidity is incredibly low, they would've resulted in someone never touching a PC again to be honest, although their security is tighter than a ducks's arse hole.
 
What a terrifying situation for any company! I hope the staff will be re-trained in the risks of opening attachments!

Glad you've recovered though! did you look into how much they wanted to decrypt your files?
 
Our company got hit too because someone opened an email with an attachment and ran it, when they were expecting an invoice to come through. Some people just open anything without checking...

Cost the company a weekend restoring from backup. The IT guys were not happy!
 
At my workplace, introducing a virus onto a PC and/or onto the network would be a disciplinary. Ignorance wouldn't be a defence because we have to read up on the various company policies, of which one of them is internet usage during work hours.

When you've got someone in an accounts department whose job it is to constantly open emails with attached invoices from addresses they may or may not recognise, I think a disciplinary would be harsh.

It's stupid behaviour but not everyone is completely computer literate, they won't necessarily understand what's different about receiving invoice.pdf vs invoice.zip, they probably trust in the IT department to stop anything bad getting to them in the first place too, however mistaken that may be.
 
Last edited:
Our company got hit by 2 different encryption viruses last month. Luckily it only got all the files on the machine it was run from and a few folders on a shared drive - we managed to catch it before it got everything!
 
1 bitcoin is around £300 atm. Nothing too painful but never know if youll actually get anything back from it.

What email client are you using? I would have thought there would be a way to prevent executables.
 
At my workplace, introducing a virus onto a PC and/or onto the network would be a disciplinary. Ignorance wouldn't be a defence because we have to read up on the various company policies, of which one of them is internet usage during work hours.

Account departments are often sent emails will invoices attached as .pdf files.
How does one stop this?
If one scans the attachment or email will this be picked up upon before opening?

Asking as we legitimately want some sort of defence, half these crypolockers are reported as zero day variations.
 
Account departments are often sent emails will invoices attached as .pdf files.
How does one stop this?
If one scans the attachment or email will this be picked up upon before opening?

Asking as we legitimately want some sort of defence, half these crypolockers are reported as zero day variations.

I typically get our staff (we have 6000 of them) to forward the suspect attachments to me, I then stall them for a day and run them through virustotal.com and a few others the following day.

so far, after months of doing this nothing malicious has got past me.

If you want a proper solution though it comes down to basics of file/folder permission, user training and products like Avecto Defendpoint.
 
Our company has the policy any folder you can write to, you can't execute from. Any folder you can't write to, you can execute from. This basically means users can't run anything they've downloaded or brought in on a USB stick. It stops viruses dead from "normal" users.

The problem is those of us who are domain admins, who can run anything from anywhere, and wipe out any of the servers :p. Good job we have tape backups.
 
Yeah, one bitcoin, approx $420, not a great amount, but payment wasn't an option as far as i was concerned.
I always send company-wide emails out warning people to be vigilent when receiving emails with attachments. Bit they ARE designed to look totally legit to entice the reader to open them. Can't blame people all the time for that.
I guess it takes no more effort for the scumbags to send a million emails as it does one. So if even 1% of that million acutally click and unleash the virus, then 1% of those actually pay the ransom, then they done ok out of it.
 
So, we've increased our web content filtering security, changed antivirus. But, no matter what you do the common denominator will always be the human who presses a button without thinking twice! :(

And that's where our IT Security guy has been working. He's been sending out emails to all 1200 staff which are fake phishing emails and seeing who's clicking them. 38% of staff clicked the fake link on the first try. A different, and a bit more obvious email was sent yesterday, where only 8% of people clicked it. He's going to continue testing us making it less obvious as we go through. He's essentially pen testing the staff.

I think it's a great idea and it's working as people are much more suspicious now. It also avoids the whole "let's look for a technical solution to a people issue".
 
Back
Top Bottom