We have recently dealt with an encryption virus infection at one of our contracted customers. Although these infections have fallen from the News, the kind of viruses which infected the NHS last year are still very prevalent and can quickly cripple a business. To give you an idea of how this kind of attack plays out, I thought it would be helpful to run through the incident to see where lessons can be learned.
During routine checks one morning, KCS identified that a large number of files and folders were displaying a last modified date very close together. The timestamp was late the previous day at around 5pm. Further investigation showed that file names throughout the folder structure were appended with .rapid. With alarm bells ringing, we determined that this was a typical presentation of Rapid Ransomware, including the tell-tale file ‘How Recovery Files.txt’.
KCS contacted the customer who were discussing the problem internally. Under instruction, they immediately shut down all PCs and an engineer prepped to go to site.
Point #1 – Immediate action and uncertainty.
At this point, PCs in the building cannot be trusted. As it can be difficult to tell where the virus entered the network, we have to err on the side of caution. There’s also a risk that the virus has infected multiple computers so we have to assume that everything is a potential vector of re-infection and remove all of them from the network. All PCs should be shut down until they have been cleared to re-join the network, often after a full re-install of the operating system.
The next step is to determine how we are going to recover from the incident. The first port of call here is of course the backups. In this case we hit our second problem, the virus had found, infected and corrupted the backups. This meant the latest usable backup would be the offsite drive from the previous week. Potentially a week of data could be lost. Luckily, due to a belt and braces configuration set in place by KCS, we were able to recover data from the previous morning. In another stroke of good luck, email data on the server was unaffected, meaning that this could be moved to a new email system without loss.