Home | Blog | Customer Hit with Crypto Virus

Customer Hit with Crypto Virus

For about the last year, TRI has been moving customers to our virtualization solution. A big part of this move is due to the cryptovirus craze. TRI uses a technology that allows us to snapshot the virtual machines (or a network file share), and then rollback to a specific hour sometime within the previous 2 week period. We have on-boarded numerous new customers who had unfortunately fallen victim to crypto viruses, but recently, we had a customer on our solution get hit with a cryptovirus. This is their story.

The Call

A frantic call came in early Monday morning. Our client had been hit with a crypto virus over the weekend and needed to recover ASAP. This is pretty much the worst-case scenario for business owners. Typically backups don’t run over the weekend, because no one is working, so data isn’t changing and there’s nothing to backup. But if you’re somehow hit with a crypto virus over the weekend, data is changing.

James hopped on a remote session with the client and investigated the infection. As it turns out, their server had been compromised for at least a month. But ironically (best we can tell), it wasn’t the intent of the hackers to introduce a cryptovirus. They were using the server as a hopping point to go to other locations on the web. Sometime during this fateful weekend, the hackers’ poor browsing habits ran them afoul of a site that infected the server with a cryptovirus.

The Rollback

The estimated infection time was Sunday at about 10:00 am, so James decided to roll back to Sunday at 9:00 am. The rollback itself takes mere seconds. In fact, the rollback happened so fast, the customer called into question whether or not the rollback actually worked. But the evidence was undeniable. As soon as the VM was booted, the client logged into the machine, and all of the data had been restored to its original, non-crypto-virus’d form.

Unfortunately, there’s not much magic to the rollback itself, it basically does what it says on the tin. I will mention that these snapshots that we can roll back to do not take up much space. The snapshots record the changes from one snapshot to the next, so each snapshot is the size of the amount of data that changed since the previous snapshot.

How Does This Stack Up To Traditional Backup?

If we’re talking about traditional tape backup, it stacks up pretty well. It’s not a complete replacement for long term backups. But for anyone who has used the old Friday full backup, incrementals through the week, you will want to take a look at these snapshots. The traditional backup runs at the end of the day, and the incrementals require the full backup as well as any incrementals leading up to the incremental you wish to restore in order to work.

The snapshots are not dependent on previous snapshots. If you want to rollback to a specific snapshot, you do have to destroy the snapshots between that point and your latest snapshot. But you can also access the snapshots independently. So if you only need to retrieve a file or two from a specific point in time, you can do so with ease. Also, since the snapshots are taken hourly, you don’t run the risk of losing potentially a full day’s worth of work should something happen to your data at the end of the day. That’s a risk you run with the traditional backup.

What Can We Learn From This?

Well in this particular case, the point of intrusion was the fact that the remote desktop service was open to the internet on the default port. So the first lesson is to not forward the default port for a service, always pick a random high port.

To go further on that point, we have seen customers get attacked on services that were listening on random high ports. A better solution to port forwarding is a virtual private network (VPN) for remote access. We highly recommend OpenVPN. It is available on many firewalls (sometimes called an SSL VPN) and can be installed to a virtual machine if your firewall does not support it.

Another clear sign of the attack was the fact that local users were logged into the server, rather than domain users. If your company uses a domain for user authentication, servers should be monitored for new, local accounts being created.

And, as always, make sure your anti-virus is up to date.

Those are the big points. TRI is always here to help your needs with our reliable I.T. support. Give us a call if you feel you might need to implement any of the above, or if you’ve got any other IT related trouble that needs to be addressed.

Posted By: Michael Bellerue  /  Dated: 07/10/2019

Leave a Reply

Your email address will not be published. Required fields are marked *