Yesterday we had clients IT manager call us. A user had received an email on their personal email and then forwarded it to their work email, and subsequently opened it… the result was that their main file server, and multiple NAS devices were all encrypted with Cryptolocker. Unfortunately this also encrypted their StorageCraft ShadowProtect backup images which took away one of the avenues for fast recovery. Now before you say that the backup images should be secured – they were supposed to be, but the customer had problems getting their NAS working with AD and never got around to sorting it out (needless to say they fixed it now).
In total around 20TB of data was encrypted including their 6TB of onsite ShadowProtect backups, and another 5TB of Archived PST files that the customer was supposed to have copied off to USB… but didn’t. The customer also has our offsite backup product which sends the ShadowProtect incrementals off to our datacentre and this was their saving grace. None of that data had been affected.
Now here’s the cool thing. StorageCraft ImageManager will only ever replicate valid SPI and SPF files via it’s iFTP facilities. It won’t replicate files that are not valid. Therefore our datacentre repository was not affected. We were able to copy one of their key servers off to USB within a short time and return it to them so that they are essentially working this morning. We’re also copying the remainder of the 6TB of backup images back to them via a loan NAS unit so that they can choose to continue their backup chains once the restoration is complete. By the end of today they will be back in full action and now the process of reviewing the environment to enhance protection from malware such as Cryptolocker begins!
Lessons from this are;
- Ensure that your backups are secured in an area that is NOT publicly accessible.
- Ensure you share them via a HIDDEN share where possible (NAS devices don’t permit hidden shares)
- Ensure that your offsite backups are managed in such a way as to prevent contamination
- Ensure that your archives are routinely kept on offline media (ie the Archive PST files)
- Ensure that your users ONLY have access to files/folders they need to do their job.
- Keep your eyes open – this is the first time I’ve seen malware specifically go after ShadowProtect backups – this is a very worrying state of affairs.
FYI – you might want to look at the information that ThirdTier has put together in their Ransomware Prevention Kit – it’s available here via a donation. In the spirit of open disclosure, I have contributed to the kit but don’t make a cent from it.