A friend of mine called me for advice yesterday. He had just gotten hit hard by ransomware.
If you’ve been keeping up with the news lately, you’ve probably heard about the explosion of the ransomware strain known as Locky. Locky is a very aggressive type of malware that encrypts files on a victim’s computers and crawls through network shares that are accessible to the victim. It is typically delivered by macros inside of Microsoft Word documents sent through email. When recipients open the Word document, they are prompted to enable macros, and when they do, the ransomware embedded in the macro executes and infects the victim’s computer.
This is what happened to my colleague, who works for another company. So far, we’ve escaped Locky at my company, but I’ve had my own experiences with ransomware, and I’d rather be the one giving advice on how to deal with it than the one who has to clean up the mess. And because of my own experience, I was able to give some helpful advice to my friend.
My first question to him was, “What is the current situation?” About 75% of the documents and important files on his company’s computers and file shares had been replaced by ones with “.locky” extensions. (His team had turned off the majority of end-user PCs to stop the spread of the infection). There was a text file in the affected folders with instructions to pay a ransom of half a bitcoin to purchase the decryption key, along with instructions about where to go to do so.
My second question was, “Can you restore the files from backup?” This is what I did in my own ransomware situation last year, and it was effective. I just deleted all the encrypted files and restored them from backup, making sure the source of the infection was neutralized, and never looked back. My friend was not so lucky. Files stored on the network storage system were backed up every week, so there wouldn’t be too much data lost, but restoring them would take about 36 hours. And most employees of his company had been saving important files locally to their My Documents and Desktop folders, where they were not backed up, and they insisted that getting those files back was essential to business.
At this point, you probably have the same thought that I and my friend had: Just pay the ransom. Half a bitcoin, at today’s exchange rate, is just under $210. Assuming that the criminals are honest and provide the decryption key as promised, they should get their files back. I don’t yet know how this will work out — he purchased the bitcoin and sent the payment but hasn’t yet heard back from the Locky operators. I hope he doesn’t have to call their help desk — I can’t imagine what that conversation would be like.
Sign up for Computerworld eNewsletters.