Locky – protection for servers
LOCKY Update (Main LOCKY article is after this update)
We said it could happen. (I’m presuming that you have read the main article )
We just didn’t think it would be so quick. You remember that we installed a script that would automatically shut down a servers ability to share files and therefore render them impossible to infect by the LOCKY virus.
Boy are we glad we did what we did.
You may remember it was just 2 weeks ago that I told you about a script that we had installed on your server.
I wonder if people think that we were going over the top? After all the whole blog was in excess of 2000 words, we had graphics, we had a list of instructions on how to combat it and even had a video on the subject. It took us an entire day to prepare the material.
Were we over the top?
Do you know what has happened since?
Having a dangerous virus is bad.
Having one that can infect with such ease is really bad.
This particular virus is a nightmare just waiting to happen and it kept us awake at night. In fact, I can confirm that we wrote the script based on the fact that we were so worried about our customer networks. It means we can sleep at night knowing that we have done all we can to prevent this virus from impacting on our customer’s networks.
So what happened for me to update this blog?
THIS IS WHAT HAPPENED
Our Bytesafe Sever Vault script caught a virus dead in it’s tracks.
Just exactly as we had outlined.
It happened to one of our customers and the person who’s “fault” it was tricked in opening an attachment.
I say “fault” because it is easy to get fooled, she was waiting for a document just like the one that was attached.
When she opened the attachment nothing seemed to happen and she thought it was nothing.
Meanwhile the virus wet about its business in a systematic way infecting and destroying data on the workstation. It later reached the server and was halted in its tracks.
But not before it destroyed 12 files.
After that the game was up.
Bytesafe Server Vault script stopped sharing the data and nothing more could be infected. We got the 12 files back from the backup.
We contacted the customer because the customer was unaware that anything had happened. We got notified from our system which monitors all the servers that we look after.
I am not surprised that the lady in question opened the file. It was completely related to her job.
This part of the blog no way encourages the paying of the ransom for the encryption key. I do not even know if the key can be provided and whether it would even work. What I do know is that the people asking for the ransom were asking for Bitcoin.
Bitcoin is a currency that is not traceable in terms of transactions but for some reason the ransom demand has now turned to iTunes vouchers and Amazon vouchers. I would imagine that anyone wanting to spend a lot on Amazon with Bitcoins would be flagged up as a possible criminal.
The virus writers have changed tack and are now demanding to be paid with iTune or Amazon vouchers.
So, the script that we deployed took just 2 weeks to catch the virus and stop it dead in its tracks.
Now for the main article.
LOCKY ENCRYPTION VIRUS – from today your server is being protected from this deadly virus. (Bytesafe customers)
LOCKY is a powerful virus. We are pleased to announce an additional security measure that we’ve already rolled out to all Windows based servers covered by either a ByteSafe Silver, Gold or Platinum agreement and all at no additional cost.
Read on if you want to know how to troubleshoot the virus.
The script was gathered from the Internet community and hand coded into a Power Shell script and then tested and deployed by Systems & Solutions.
This Power Shell command protects servers from the Locky virus and others.
We will give this script to others, including IT support companies to use upon request.
This new system, which we’re dubbing the “Bytesafe Server Vault” actively monitors a server and all its shared folders for the presence of files or file types commonly associated with known strains of Ransomware (e.g CryptoLocker, CryptoWall etc). In the event that a known file or file type is detected all access to shared files and folders is removed before the virus has chance to do any real damage. Then, once the infected computer has been safely removed from the network, access to shared files and folders can then be restored again while said PC is carted off ready for disinfection or wiping/reloading.
Ransomware is software that demands payment to reverse the damage that it does and is very profitable fro the criminals that write the code.
Ransomware tends to be polymorphic by nature
This means that it creates copies of itself with slightly differing names. This means that it can succeed in avoiding detection by antivirus software. Once infection has been achieved the virus works its way in the background. It encrypts your important files (pictures, documents, spreadsheets etc.) until the point at which its finished when it then holds those files to ransom, demanding your hard earned cash in return for the decryption key which is required to unlock your files.
Locky will also work its way through all network files and folders
If the computer affected is connected to a network, it will work its way through all network files and folders. It does this in seconds and the damage is devastating.
During March 2016 we got to learn a lot about a new strain which goes by the name of “Locky” (yes, the same virus that hit the three hospitals in the States). We had two customers were hit and in both cases being able to restore all encrypted files from backups because we had an hourly backup regime. Things could have been a whole lot worse. While we were able to neutralize the threat and clear up the damage it had left behind it was nonetheless, disruptive and costly to the customer in terms of time.
We began looking into new ways in which we could prevent these types of attack from occurring in the first place. By the following week “Bytesafe Server Vault” was created from commands on the Internet put together into a Power Shell script.
Bytesafe Server Vault waits and checks for files created by the LOCKY virus and others. When it finds one, it shuts down the servers ability to share file. This means that the damage is minimal and the disruption to the business us negligible. We tested it on our systems before deploying it to all our customers servers. One problem we had was our monitoring system tries to automatically restart the service. We change the script to disable to the service which means that it survives even after a reboot.
It’s important to note that the best protection from viruses and other internet born threats is one consisting of a layered approach with Bytesafe Server Vault that final layer.
Head of Tech Support
We will share the Power Shell script with anyone that requests it. Here is our suggested approach on what to do should anyone detect the .LOCKY virus on your network server:
Solving the LOCY Virus on a large network.
- Find out that files are being called .LOCKY
- Get them to disconnect the network (hub)
- Get onsite and get onto the server
- Look at the properties of a .locky file, find out the user who changed the files and at what time were they changed
- Check over others if times are vastly different
- Identify that machine by the user
- Start that machine up disconnected from the network
- Identify the email that came in around that time
- Confirm the time that you need to working with
- Turn the network switch back on
- Restore files from backup. Select all files that have change or are new from the infected time
- Re-image the workstation, don’t bother to try an cleanse the virus
You are generally going to get a call from a customer says that they have discovered some strange files and their own files have disappeared.
You need to stop the infection spreading all over the network and I suggest that you do this by turning off the network switching hubs. They could be in the data cabinet – just power them down. That means that there is no communication between computers.
You can only do this by getting onsite. Remote access is no good now. Infection can be spread to any open shares on the network. If you tightly manage this than no real problems but be on the safe side and pull the plug on the network switch. This is an urgent issue and a “4 hour” response time will not be good enough in these circumstances.
Find the affected shares on the server and check over the properties of the infected files. The will have been modified by a particular user. Note the time they were modified. Check over more files just to see if there is more than one workstation infecting the files.
If the times are vastly different you could be looking for an additional machine or two that is also infecting but that would be unusual.
You should be able to identify which machine that user was using. I had a confusing situation when I found out that that same user was logged on to two different machines.
Point 7, 8 and Point 9
Check over the machine that is infecting all the files and go into Outlook and work out which email caused the damage and check that the times match. You can also run some anti-virus tools that will detect and destroy the process that locky is using.
It is safe to turn the network switch back on. The network will operate normally but you may have to reboot the workstations.
You have to restore the files from backup. The easiest way to do this is to find the most recent backup, mount it on the server and then Xcopy the files back by selecting missing files or newly created files. That means that you will only be restoring the corrupted files and not over writing files you don t need to. It will be quicker too.
Over time it maybe possible to cleanse this nasty virus from a workstation and for it to not come back. My advice would be to re-image it and start afresh. The virus writers are very clever and the virus changes on a regular basis, you do not need to take a risk when you can just re-image it.
Please watch the video on the subject:
There are 5 steps you should have in place already
- Mail filtering so you don’t emails containing the virus
- Up to date Office software so you don’t release the VBA code in the word attachment
- Free LOCKY protection available from Bitdefender.com
- Bytesafe Server Vault script
- Hourly local and then cloud backups
Mail filtering costs money every month and it is worth it. By not having the virus entering into your system in the first place means that your staff don’t have to be so on their guard. The social engineering that the virus writers use is proven to work so don’t take the risk.
Word 2010 had an in built function that you had to “enable editing” on attachments that came through the email system. The code cannot be released unless you enable editing. That was the reason why Microsoft put it in pace as an extra feature some time ago. I do however remember customers complaining about it!
This software is free to install on workstations. It is a good idea to deploy it. https://labs.bitdefender.com/2016/03/combination-crypto-ransomware-vaccine-released/
Run the Bytesafe Server Vault script on your server and then run the “updater” script.
Invest in hourly backups and have them synchronised to the cloud or off premises.
The virus writers are always going to be a threat and one day even hourly backup may not be enough. Data loss still may be possible even with all these approaches. It does give you maximum protection now.