23rd October 2013
We were contacted by a customer today who had found staff unable to access files from the server in the office that they had. What they reported was a situation where you couldn't open any Excel file - with the file stating it was corrupt when opened in Excel, yet other files were working fine.
This naturally made us curious since there's no obvious reason only one type of file might be affected, especially when you're looking over an entire server system with tens of thousands of files. The answer though soon became clear...
One of the computers used by a member of staff had become infected with a particularly nasty type of malware - one that slowly encrypts many types of documents and files used commonly in a business. When we talk about encryption we mean essentially scrambling a file's contents in such a way that it can't be read by anyone without the encryption keys - something in this case you as the victim of the malware won't have.
Once the software has finished infecting your files, it then turns into a real menace - setting a timer firstly and then presenting you with a screen like this one below:
At this point you really will have just a few hours to pay up the ransom - or find your files are forever encrypted. We strongly recommend you do not pay the ransom - there is both no guarantee that you can then recover your files (some people report they did pay and could, but others report it doesn't work) - certainly if it does work, it can take a long time - apparently 5GB of recovery an hour is not unheard of so if you have a lot of content you could be waiting a long time!
In this case, the customer had previously received an e-mail - looking a little similar to this:
To get infected, they'd opened the attachment, and then opened the file within it - because in this case the initial attachment was a compressed ZIP file - but inside was an exe file - commonly known as an executable (or a program you can run). With that, the damage is done - it doesn't immediately pop up anything or show you there's a problem, but in the background it installs a bit of software, starts encrypting your files and once done lets you know you've been infected.
30 seconds of clicking has resulted in considerable disruption to the business, many hours of work to fix issues and a considerable cost to the company.
Absolutely not - even once your files are recovered, it leaves additional malware on your computer - designed to log keystrokes etc (essentially to gather your passwords and so on) - these can then be used against you in further attacks on your computer - or worse with your online banking. Don't under-estimate the criminal element in these increasingly sophisticated attacks.
You should instead get the infection removed from your computer - your IT Support company are best placed to help you as there are many variants of this attack, and you need to ensure you've fully removed it - from each, all and any computers where the infection exists to be on the safe side. Whilst there are tools on the internet to help you, there is also a danger you'll download a fake program to help you that just infects you further - professional assistance is always best.
Bear in mind that removing the infection will NOT recover your files - at all. You must recover them from a backup - assuming you have a suitable backup - don't forget you need to restore files from BEFORE the point of infection particularly if there's a chance your backup software has run again which would mean the latest, now encrypted files are backed up.
If you're NOT infected with this, then you should do all of these things to reduce the risk of being infected AND to ensure you can recover if the worst does happen:
If you need help with this or any other malware & virus infection, call our team today for assistance on 01392 950 950 (business customers) or 01392 879003 (home/domestic customers) - our Exeter based team will be happy to help you.