Computer viruses can be categorized into different types. One type, more prevalent in the early days of computing, might be termed leaving a calling card. This type of virus, when successfully deployed to an unsuspecting user's computer, causes unusual computer behaviors. Turn on your computer and suddenly there is a message on your screen: "Hi! You've been hacked!" Often, the hacker's main goal is to show that he or she is crafty enough to circumvent installed security software.
A second type of virus might be called commercial messages whether you want them or not. These viruses have become quite common and we've had our share get through our anti-virus software and land on people's computers. A frequent characteristic is the random pop-ups users experience. Often, there is a commercial element involved. The hack is designed to make you aware of a product or service and buy it.
A third type of virus might be called put the cash in a bag. These viruses are propagated by criminals for the express intent of stealing money. Some of these viruses will look for valuable information (e.g.: social security number, bank account information, web site passwords, credit card information) and transmit it to the hacker. That information is used to steal funds or use accounts for profit. A second category of this third type of virus is called "ransomware." If a ransomware virus infects your computer, your files will be encrypted and the hackers will demand a ransom to provide an encryption key. Without the key, the files are useless.
A GSB user's desktop was infected with a ransomware virus called CryptoWall. What the user saw were the files, all with a strange .aaa file extension. A pop-up on the screen gave explicit instructions about how much money it would take to get a key to access the files, the amount of time allowed by the criminals and the method of payment. In this particular case, $500.00 was demanded, payable within a week in Bitcoin. There were specific instruction about how to convert US dollars in Bitcoin currency. If payment was not made in the specified time period, the cost of the key doubled to $1000.
 |
| The ransom demands as they appear on user's screen. |
We first learned about the hack late Thursday (8/21) morning. Immediately, the computer was evaluated. The desktop files and all other files on the hard drive were encrypted. An attached external hard drive also was completely encrypted. And alarmingly, the various server drives this user was mapped to were also encrypted.
As a technology department, we've dealt with many computer viruses over the years. I would guess 5-10 users a year have a viral infection on their desktop. To date, none have ever gone beyond the end point hard drive and all have been successfully resolved. I believe all have been the second type as described above.
To see files encrypted on the server was cause for alarm. Clearly, we were dealing with a more potent strain of virus that we had previously seen. And of course we worried that perhaps the encryption could spread, further compromising our server content.
We immediately isolated the infected computer from the network. Larry went to work evaluating the file damage and looking for latent threats. A decision was made to conduct a double-blind review of the health of the server. Ryan as well as an independent sub-contracted software engineer scanned our server drives for problems. Most important was an ability to confirm there were no "trojan horses" in the system, viruses that lay low and activate at a later date. Our independent review was conducted by Ivan of Aspire Technology Partners. By morning, both Ivan and Ryan were ready to issue the all clear sign about further threats.
Early on, I reached out via the NJAIS sponsored listserv to my colleagues. Our NJAIS Technology listserv has proved an invaluable tool to share news and solicit advice. In this case, I wanted to do both. As I've come to expect, my colleagues were unfailingly helpful and sympathetic. It's a reminder that professional networks can prove very useful when addressing a variety of challenges.
The next step involved restoring encrypted files. CryptoWall software is very sophisticated and files are not easily "freed" from their hostage state. That said, tools are available, often provided by a community of hackers who see themselves as the good guys in a fight against the criminal use of software. But for our server files, a far more easy solution presented itself. The corrupted files could be deleted out of the server drives, and the affected drives could be reimaged to a pre-infected version. When a server is backed-up daily, past versions (to a limit) remain available as file back-ups. Ryan saw that going back to Tuesday, 8/19 would yield an uncompromised version of each file.
If any files had been changed or added to a server after 8/19, that data would be lost. Fortunately, given the time of year and the particular server drives affected, we're confident content lost is negligible.
What about the user's desktop files and the files on the external hard drive? S0 far, a small percentage have been restored. Efforts will continue with no guarantee of success. We'll know more over the next few days.
What's a computer user to do? Is it just inevitable that a virus infection will wreak havoc on your computing life at some point? In fact, some common sense tactics are remarkably successful. First, though, a user needs to understand how computer viruses are transmitted. There's really two main ways: email and web sites.
If the virus is in an email, it is almost always in an attachment or a link. Clicking on an affected link or attachment and you've unleashed the virus. The key to safe computing is looking before you click. Almost always, the email looks a bit fishy, a bit off. Perhaps there's a strange group of unrelated people in the address window. Perhaps the link is completely unfamiliar. Perhaps the text of the email strains credibility (banks in Nigeria, anyone?). At any rate, use caution and judgement and DO NOT click on suspicious email links and attachments.
If a web site carries a virus, it is generally embedded in an ad on the site. Reading an article the other day, the author mentioned that Yahoo and weather.com have a higher than average rate of infection on their ads. The trouble is that hackers creating viruses embedded in ads are very good at disguising their work. Everything looks perfectly normal until your click unleashes a virus. You may not know about the infection until a day or a week later so it's often difficult to trace a virus to its source. It's difficult to advice computer users to never click on an ad, but be aware that you do so at at least some risk.
In the case of the GSB ransomware attack, we have reason to think the user's external hard drive was already carrying the virus when it was plugged into the desktop. There is file evidence to suggest it though we're not certain. This means that it will be very difficult to ascertain the source of the virus.
So exercising caution while on the web is critical. So is operating in a computer environment that defends against attacks. Clearly no defense is 100% effective - there's an ongoing cat and mouse game between hackers and anti-virus developers - but keeping up-to-date with software installs and updates helps. At GSB, we filter the Internet, adblock and install anti-virus software on computers to supplement operating system software. Obviously, those layers of protection were not enough. We'll be looking carefully at our current protocols with an eye towards more complete protection.
Perhaps the single most important step a user can take to protect against catastrophic loss is to back up files. A user at GSB has several back up options. Once a file is created, it can be copied and saved to another location on the computer's hard drive. One copy might be on the desktop, one copy in the Documents folder. This form of back up is not effective and should not be used. A second form of back up is to create a file on the desktop and save to an external hard drive or a connected thumb drive. This form of back up is better, but other options offer far more security. A third option is to save the second file copy to a server drive. This is a good option, though this post clearly suggests it is not without risk. Still, it's safe to say that server back up is a strong option given the track record of success. The last option is the best: utilize OneDrive or other cloud storage as a remotely hosted, independently located site. All GSB users have OneDrive storage access and used in combination with a file saved on a desktop, server or external drive, a user can feel confident about the content security. Users who do not back up files of value are living dangerously close to edge. Please, back up files you value.
