At 4pm on a Friday afternoon, St Simon Peter Primary School identified files on their Office Server that were encrypted. From what was seen in the text files, it seemed that some of the server files were infected by a Cryptolocker and to unencrypt them, the user had to pay a ransom. Shortly afterwards files on a second server was also identified as being encrypted.
What was on the servers? Only the most important school data!! The admin system:MAZE, confidential documents and admin documents had all been affected. Both servers were critical to the day to day running of the school so it was imperative that the situation was remedied quickly.The school called us immediately.
As soon as we understood the issue, we advised them to shut down all servers and immediately unplug the network attached storage device used for their backups. Soon after one of our technicians attended the school to retrieve the backups for testing.
Over the weekend we worked to test the files and identified that they were in fact encrypted by one of two newer Trojans: TeslaCrypt. Processes were put in place to remotely test each workstation for the presence of the Trojan and to log all suspicious activity. We were able to track down and identify the source workstation and user account enabling us to fully remove the Trojan.
On Monday morning we visited the school to test that the Trojan was contained. Soon after all staff in the administration area were able to use their workstations with access to email and internet. By lunch time all staff were able to log onto their computers. Data was restored from backup to the two affected servers resulting in full functionality being restored by the end of the day.
We performed a full health check and settings remain in place to prevent similar Trojans from executing.
Things you need to know about some of these new Trojans:
- McAfee and other traditional virus scanners do not appear to detect it
- It encrypts all files such as documents, photos, spreadsheets, databases, etc with military grade encryption which is virtually impossible to break
- It demands a ransom to retrieve the encryption key and get back your files
- The price of the ransom increases as time goes on
- Paying the ransom to receive a decryption key does not always result in files being decrypted
- It encrypts all files on local drives but also any mapped network drive (servers etc) and any USB device attached
- It deletes volume shadow copies preventing easy rollback to previous versions of files
- It will encrypt any backup files it finds so any backups living on an usb drive etc
- A full health check of your network is highly recommended to help prevention