Recently one of our clients clicked a link in an email purportedly from Australia Post and managed to infect their computer with the “Cryptolocker” trojan. In that particular instance, it also encrypted many of the files on the server and resulted in them being offline for a number of hours whilst we restored the files from backup.
This type of infection is usually intercepted and blocked by effective, up to date anti-virus software, however we do not believe any anti-virus product is 100% effective, 100% of the time. Individual configuration options, new variants and newly discovered vulnerabilities can all combine to allow malware through. We have previously had a significant number of issues with web scanning modules blocking access to too many legitimate web sites resulting in many clients not running the web link scanner component of their anti-virus.
This type of “Malware” has become known as “Ransomware” as it encrypts all accessible files and then requests payment of a ransom for the encryption key to regain access to the files. We’ve read anecdotal evidence that these are “honest” criminals that will actually provide the decryption key if the ransom is paid, however we are very reluctant to recommend that payment be made unless there is no other course of action available.
BlueBlood's approach is to restore the infected computer from backup, restoring any corrupted files from backup in the process.
The Cryptolocker Trojan is another good example of why you should be very careful about opening email attachments or clicking on links in emails you are unsure of. It is even worth thinking twice about clicking these items from known senders.
The best way to check a link in an email is to hover over it and read the “real” link underneath the visible text (usually at the bottom-left of your web browser).
For example, the link below doesn’t actually redirect you to the Commonwealth Bank website:
If you hover over it, you can see the underlying link actually refers to our website (www.blueblood.com.au). It would be just as easy for me to redirect the link to a malicious website.
Examples of Malicious Emails
Case 1: Starbucks
I received an email supposedly from Starbucks – however the sender's email address looked odd, as does the link in the “Print Your Gift” section (see below):
I personally never click on a link in an email without first hovering over it to see if the underlying URL looks legitimate. Even then, to be really safe, I will often visit the site by typing the address of their main website directly into a browser.
Case 2: Australia Post
Here is another example of an offending email sent to a client:
Notice how the email is full of grammatical errors.
We took about half a day to restore the system from the previous night’s backup, during which the client was unable to use it.
Case 3: Dropbox
In another instance, one of our clients used dropbox to manage their documents. Because they had everything stored "safely" in the cloud, they did not have backups of their dropbox files. They were infected with a cryptolocker which encrypted all of their files, including the ones stored on dropbox. These encrypted files were then uploaded to dropbox the next time they synced, then replaced the files on other computers, effectively destroying what they thought were their backups.
Whilst it was possible to restore files from "previous versions" within Dropbox, the process for doing so for many folders was time consuming.