Law Firm Loses All Files to CryptoLocker Ransomware


Recommended Posts

law firm has bravely admitted losing its entire cache of legal documents to the Cryptolocker Trojan despite attempting to pay the $300 (APS180) ransom in a bid to have them unscrambled.

According to TV reports, Goodson's law firm in the North Carolina state capital Charlotte became the latest victim of a malware menace that was custom-written to lever ransom money from precisely this type of relatively cash-rich but time-poor firm.

 

The email infected a company server holding thousands of important documents after an email with a malicious attachment was mistaken for a message sent from the firm's phone answering service.

That error left every single document used by firm on its main server in an encrypted state, including Word, WordPerfect and PDF files, said Goodson's owner, Paul M. Goodson.

 

 

"The virus also warned if you tried to tamper or decrypt anything, it was going to be permanently locked and you could never open it," Goodson said.

After IT staff were unable to make any headway against the malware's encryption, Goodson tried to pay the ransom but discovered that the grace period - another nasty aspect of Cryptolocker - had expired.

The only blessing was that the malware had scrambled files and not stolen them, Goodson added.

 

According to the Wsoctv TV channel, local police were aware of at least 30 cases where paying the ransom had resulted in an unlock key being delivered. Balancing this, we should point out that not everyone has reported having this success.

 

http://www.networkworld.com/news/2014/020814-cryptolocker-scambles-us-law-firm39s-278594.html?source=nww_rss

 

Cold backups FTW!

Link to comment
Share on other sites

backups, backups, backups!

 

I had one client that had this; only backups saved that client legal (and financially) ass and the ransom was much higher than 300$; they were asking for 4k, so i guessed it was a direct attack.

  • Like 2
Link to comment
Share on other sites

backups, backups, backups!

 

The problem is how you have your backups setup. If you have a backup drive connected to the infected computer it would encrypt the files on the backup drive as well.

Link to comment
Share on other sites

backups, backups, backups!

 

 

We've become so dependent on technology and people still fail to realize how volatile it really is. No matter how many times you tell them that, they never think its important, until their hard drive goes dead taking all their wedding and baby pictures with it and the only way to recover them is paying hundreds or possibly thousands of dollars to a data recovery service.

Link to comment
Share on other sites

The problem is how you have your backups setup. If you have a backup drive connected to the infected computer it would infect the backup drive as well.

 

lol

that's why there's backup and disaster recovery plans, not sloppy things like that. And i know, i've seen too much of "cheap" backup solutions gone out of the window when there's a real need for a restore: a backup is only good as the restore; because of that i do monthly restores in my clients to ensure that the backup worked as expected, the data is integrate and valid and to validate it before any major change in the servers, like updates, new software installed and so on.

Link to comment
Share on other sites

any IT staff worth its salt would have a backup strategy in place.  Not have the backup drive on the same server/computer.  You would think that with it being a law firm that they would have a backup solution offsite. I would.

Link to comment
Share on other sites

any IT staff worth its salt would have a backup strategy in place.  Not have the backup drive on the same server/computer.  You would think that with it being a law firm that they would have a backup solution offsite. I would.

 

It depends on the law from the country or state; because an law firm deals with very sensitive data sometimes it's not possible to offsite that data to, let's say, the cloud (even a private one). I know this because in my country only recently this was changed; still it's not an excuse to have a proper DR plan.

 

And yes: data is volatile :/

Link to comment
Share on other sites

Even if they had something like carbonite in the place they would still probably be in good shape assuming they would have frozen the backup upon infection. but even carbonite has versioning.

Link to comment
Share on other sites

This is why I'm a firm believer in that any critical workstation with sensitive data must not have Internet/network access and be standalone.  

 

You don't know how many customers I have that use their mission critial workstations / servers to browse the internet. I have this one customer who runs a tanning salon. The computer at the front of the store which RUNS THE TANNING BEDS and has ALL of her customers data on it she uses to browse the internet as does her teen employees. That computer is ALWAYS full of Crapware toolbars and other stuff. I asked her one time what happens when this computer goes down? She said "I'm screwed"

 

The only reason my quickbooks machine has internet access is because I email invoices from it. But there are no mapped drives to that machine. It's also a laptop, that just runs with the lid closed behind the monitors of my main workstation. It's accessed from the machines in the house via Remote Desktop. The No browsing is done on that computer nor are any applications installed other than windows updates. It's just "Quickbooks"

Link to comment
Share on other sites

This is why I'm a firm believer in that any critical workstation with sensitive data must not have Internet/network access and be standalone.  

 

NSA would laugh at your plan. :laugh:

 

now really: it doesn't matter really when the weak point is:

- lack of preparation for a disaster (it's not a matter of how but when).

- poorly trained users (opening every attachment from strangers emails, using pendrives everywhere, etc.)

- convenience vs security: it's more convenient to have all the data available but one must not forget that comes with a increased security risk that should be proper taken care of.

Link to comment
Share on other sites

You don't know how many customers I have that use their mission critial workstations / servers to browse the internet. I have this one customer who runs a tanning salon. The computer at the front of the store which RUNS THE TANNING BEDS and has ALL of her customers data on it she uses to browse the internet as does her teen employees. That computer is ALWAYS full of Crapware toolbars and other stuff. I asked her one time what happens when this computer goes down? She said "I'm screwed"

 

just make sure you have, in a written way (like email), warned her for that bad practice and the potential consequences so when problems arise (leaking costumer data, financial records, dead computer) she won't throw you under the bus for not having her warned about it.

Link to comment
Share on other sites

Another reason I recommend Linux instead of Windows for file servers.

Really wouldn't have mattered since the desktop machines still have to access those files anyway.  Personally I would have recommended a better backup solution and maybe locking those workstations down a tad instead of letting users run whatever the hell gets attached through email.

Link to comment
Share on other sites

Just an FYI to the article writer, the capital of NC is Raleigh, not Charlotte. Thank you  :)

 

The amazing thing working in the tech field, is that companies in general rake in good amounts of money, but they all the things to be cheap on, it is the IT budget, be it using 8 year old PC's or neglecting to back up files... As guess the good thing is they keep us in business.

Link to comment
Share on other sites

backups, backups, backups!

 

I had one client that had this; only backups saved that client legal (and financially) ass and the ransom was much higher than 300$; they were asking for 4k, so i guessed it was a direct attack.

 

Quite a few lawyers are cheap.  I still see lawyers running XP and Office 2003.

Link to comment
Share on other sites

The problem is how you have your backups setup. If you have a backup drive connected to the infected computer it would encrypt the files on the backup drive as well.

 

Then you don't have a backup.

 

Having a backup in the same building as the server outside of a fireproof safe is good for a family not for a company.

 

You should have at least a daily backup stored in a fireproof safe inside the same building. Ideally you should have also another weekly or montly backup stored in a different building (bank personal safe or something). If your backup is in the same building then a big fire and your backup AND your data are gone.

Link to comment
Share on other sites

Good backup plan would of made this a non issue.  They are idiots.

 

With that said, we had this same software installed on a field service reps system at work.  Luckily, he just lost a few files on the desktop and his documents had not yet synced to the network.  Which really no big deal if it did.  My work has a good backup plan.  Slaved the HD, grabbed what files I could, reimaged system.

Link to comment
Share on other sites

How quickly does this thing work? Surely it would take hours to encrypt thousands of files. Some kind of file monitoring app would be useful in alerting you to any suspicious activity.

 

 

I work for a medium-sized law firm. I'd better convince the powers that be at my office to invest in yet another backup harddisk that I can disconnect after a weekly backup and put in the safe.

Link to comment
Share on other sites

This topic is now closed to further replies.