Sunday, April 05, 2015

Cyptowall 3. From Infection to Recovery.

Cyptowall 3.  From Infection to Recovery.

Disclaimer - for protection of the companies and their staff involved I will not name or reference them any other way then "The Company" and "Staff". 
 
A few companies I've consulted with were hit with Cryptowall version 3.  The entry point was a staff member who opened something in the email they shouldn't have.  Their computer was protected with a "tier 1" anti-virus (For the record I use the term "Tier 1" very loosely.  The infected machines were using all up-to-date well known corporate anti-virus).
After the staff member opened the email attachment I'm told the anti-virus had claimed it blocked the infection, it however did not.  The virus ran until the staff member went home; there was no alerting the IT staff due to a lack of procedural operations if such an event were to occur.  Also IT staff being contractors or on call.   The virus encrypted almost all files on all mapped network windows file shares.  1/5 of all the files were encrypted and 1/2 of all the files were infected on all the shared drives for all users.
 
It is well known and documented that once infected with a ransomware the only course of action is to recover from an offline backup or pay the ransom.  As all the most recent files were encrypted the oldest backup were 1 to 2 weeks old which was an acceptable lost to the organizations involved.  Due to the size of the file shares doing an offline backup every night was not an option for the company; the backup drives are rotated weekly.  Archiving files are also not considered a high priority due to the price and size of hard drives.  The time to sift through and decide what projects and files can be archived can be time consuming. 

I was however able to get back approximately 2/3 of the differential data from the drives using some recovery software and specifying the date range from the last backup to the day before the virus infected the system.  My preferred choice of recovery software for windows is Active Undelete.

The software is very intuitive, reasonably priced and has helped me recover more files for clients from accidental deletion, dead hard drive or an accidental format. I ran a full drive scan, took about 6 hours through USB 3 on a laptop to recover the differential data.  Of that differential data 80% of the data appeared to be uncorrupted,usable and accurate as of the day modified.

I will be doing a follow up post on this for a backup solution that is ransomware resistant to with-in 24 hours from the time of the infection.  It really is a post you don't want to miss.

Cisco did a very good blog post on the technical aspects of cryptowall 3.

http://blogs.cisco.com/security/talos/cryptowall-3-0

Here are some links on the very first type of this crypto-ransomware cryptolocker.
http://en.wikipedia.org/wiki/CryptoLocker

The TWIT network did a great breakdown on cryptolocker on Security Now!
http://twit.tv/show/security-now/427


How to migrate PFSense Over to KEA DHCP Server from ISC DHCP Server

I am a PFSENSE User and I manage PFSENSE for some other organizations and the time has come to make the switch for the DHCP Server over to K...