• Home
  • Consulting
  • Contact Us
    • About this site
    • Contact Wayne
    • Media Room
    • Wayne’s Bio

SBSFAQ.COM

Supporting IT Pro's & MSP's since 2000

  • Blog
  • FAQs
  • Reviews
  • Downloads

Cryptolocker Encrypts ShadowProtect Backups

February 5, 2016 by Wayne Small Leave a Comment

Yesterday we had clients IT manager call us.  A user had received an email on their personal email and then forwarded it to their work email, and subsequently opened it… the result was that their main file server, and multiple NAS devices were all encrypted with Cryptolocker.  Unfortunately this also encrypted their StorageCraft ShadowProtect backup images which took away one of the avenues for fast recovery.  Now before you say that the backup images should be secured – they were supposed to be, but the customer had problems getting their NAS working with AD and never got around to sorting it out (needless to say they fixed it now). 

In total around 20TB of data was encrypted including their 6TB of onsite ShadowProtect backups, and another 5TB of Archived PST files that the customer was supposed to have copied off to USB… but didn’t. The customer also has our offsite backup product which sends the ShadowProtect incrementals off to our datacentre and this was their saving grace.  None of that data had been affected.

Now here’s the cool thing.  StorageCraft ImageManager will only ever replicate valid SPI and SPF files via it’s iFTP facilities.  It won’t replicate files that are not valid.  Therefore our datacentre repository was not affected.  We were able to copy one of their key servers off to USB within a short time and return it to them so that they are essentially working this morning.  We’re also copying the remainder of the 6TB of backup images back to them via a loan NAS unit so that they can choose to continue their backup chains once the restoration is complete.  By the end of today they will be back in full action and now the process of reviewing the environment to enhance protection from malware such as Cryptolocker begins!

Lessons from this are;

  1. Ensure that your backups are secured in an area that is NOT publicly accessible.
  2. Ensure you share them via a HIDDEN share where possible (NAS devices don’t permit hidden shares)
  3. Ensure that your offsite backups are managed in such a way as to prevent contamination
  4. Ensure that your archives are routinely kept on offline media (ie the Archive PST files)
  5. Ensure that your users ONLY have access to files/folders they need to do their job.
  6. Keep your eyes open – this is the first time I’ve seen malware specifically go after ShadowProtect backups – this is a very worrying state of affairs.

 

FYI – you might want to look at the information that ThirdTier has put together in their Ransomware Prevention Kit – it’s available here via a donation.  In the spirit of open disclosure, I have contributed to the kit but don’t make a cent from it.

Share this:

  • Click to share on Facebook (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to print (Opens in new window)

Filed Under: Blog Tagged With: Antivirus, CryptoLocker, Third Tier

About The Author

Wayne has been working with Microsoft Server products in the SMB market for over 20 years. He has a passion for technology and been a Microsoft MVP for over 15 years. Read More…

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Connect Online With Us

  • Facebook
  • Twitter

Reviews

Splashtop – Cost Effective Remote Control Software

September 22, 2017 By Wayne Small 2 Comments

Western Digital DL4100 NAS

March 3, 2015 By Wayne Small Leave a Comment

SBS 2011 Configuring Certification Guide (70-169)

August 7, 2012 By Wayne Small 4 Comments

Site News

Exchange Bug Stops Mail Delivery in 2022

January 2, 2022

Huge bug found in Intel CPU that could permit hackers to steal your data

January 4, 2018

Recent Posts

  • New Teams Preview – Missing ability to add tabs to a Team
  • New Teams Preview – Missing Create a Team
  • World Backup Day – What does it mean to Australians?
  • New Teams update finally allows easy cross organisation switching
  • MS Exchange Zero Day and RemotePowerShell Disabling on Admin accounts

Tags

Antivirus Backup Business Focus Cloud Computing Community Conferences Disaster Recovery Exchange 2010 Exchange Server Future Products Hyper-V Installation Microsoft Migration Patches Personal Rants SBS 4.5 SBS 2000 SBS 2000 SP1 SBS 2003 SBS 2003 Premium SBS 2003 R2 SBS 2003 R2 Premium SBS 2003 R2 Standard SBS 2003 SP1 Premium SBS 2003 SP1 Standard SBS 2003 Standard SBS 2008 SBS 2008 R2 SBS 2011 SBS 2011 Essentials SBS 2011 Standard Security Service Packs ShadowProtect Software Software I use StorageCraft Training TrendMicro Troubleshooting Virtualisation Windows Server 2012 Windows Server 2012 Essentials

Terms of Use

Privacy Policy

Copyright © 2023 · Magazine Pro Theme on Genesis Framework · WordPress · Log in