|Latest 7 Posts
| How to Duplicate the Mircrosoft Surface Hub's Screen on another Hub|
Tue, Oct 31st 2017 5
| Getting Started with SharePoint Lists|
Thu, Oct 26th 2017 9
| Fixing up those Pesky # Filenames for Importing into OneDrive and SharePoint|
Tue, Oct 17th 2017 4
| SharePoint works if you start working the NEW way|
Wed, Oct 4th 2017 8
| Thoughts on the Microsoft Surface Book 4|
Mon, Jun 19th 2017 6
| How to Split SharePoint Document Libraries to Simplify Synching|
Sun, Apr 30th 2017 12
| Using SharePoint with OneDrive as a File Server (for Ex-Domino Admins and Traditionalists)|
Mon, Apr 24th 2017 13
| How to Create an Auto-Response Mail Message in Lotus Notes 8.5.3+|
Wed, Feb 22nd 2012 48
| How to Create a Good Email Signature and Use it in IBM Verse|
Mon, Apr 18th 2016 29
| How to Use Microsoft Outlook with Your IBM Verse (in the cloud) Mail|
Sun, Oct 9th 2016 28
| Restarting Agent Manager on Domino 9.0.1 may crash your server....|
Wed, Feb 18th 2015 21
| Fixing Word 2016 Crashes when Opening Older Documents with Macros on Windows 7|
Tue, Nov 15th 2016 21
| How to set IBM Verse as your Default Email Client|
Thu, Jun 9th 2016 19
| Migrating Mail from IBM Notes and Verse to Microsoft Outlook on Office 365 - Part 2|
Tue, Apr 4th 2017 13
| Using SharePoint with OneDrive as a File Server (for Ex-Domino Admins and Traditionalists)|
Mon, Apr 24th 2017 13
| How to Embed Video into your IBM Connections Wiki|
Wed, May 11th 2016 12
| Good Resources for Support with IBM Connections and Verse 2: Official Channel Web Sites|
Tue, Aug 2nd 2016 12
||A Run-in with Cryptolocker
A Little History
Over the years, we've had a fairly good run when it comes to viruses and malware. Much of that I can put down to the fact that we've always used IBM Notes as our mail system and it's less susceptible to hijacking. Of course, notes only slows down the distribution (and reduces the likelihood of specific mail calls being used). It's not an effective anti-virus solution.
Years ago, I used to run my anti-spam services on the mail server. There were two problems with this approach;
- The mail had already reached our systems before the first scan occurred - even if it was just spam, you're now using your bandwidth and your storage.
- You're running secondary processes on (or between) your mail server. It needs updates, maintenance etc.
Anti-Spam was the first service we moved offsite.
For the past few years, we've been using the Symantec.Cloud anti-spam service. This was a very good service when it was a recent acquisition (MessageLabs). Back in those days, the spam used to pass through the filters of many of the major anti-spam vendors. These days, I think that it only runs through the Symatnec solution; making it far less valuable. We're finding that more and more spam is slipping through.
Our desktop scanners are Kaspersky. We've spent years on Symantec/Norton (slowed all of our PCs down) and McAfee (never actually caught anything) and Kaspersky has been pretty good overall but it didn't catch this one.
So How did it Start?
In this case, the email that made it into our systems was a variant of the Australia Post cryptolocker email that hit Australia from August last year onwards. This particular email looks very similar to real emails that Australia Post sends out. Our users had been warned about this particular problem three or four months ago but the fact is that if you keep throwing links at an organisation, eventually you're going to get lucky.
The first sign of trouble was when some of our users called the helpdesk saying that their files were encrypted. I was just standing up to go off to lunch but luckily I decided to investigate. This is why you need a responsive helpdesk - The reaction (and recognition of the problem) was time-critical. I immediately ascertained that the files were not .zip they were simply normal files renamed with .encrypted -- and there was a whole folder full of them.
I'd been following trends and reading bulletins from AusCERT, so although I didn't know the exact effects of cryptolocker, I immediately suspected it was the problem.
I quickly googled signs of it and discovered that the ransom message was the clue. I looked for one on the person's computer but couldn't find one. I couldn't see one on the network either. I was just about to start disconnecting all devices from the network (all our PCs go to the servers via a single, easily isolated switch) when a user reported an unusual message. We'd found the PC with the issue ... and it was a different PC to the one which reported the problem. We immediately disconnected it from the network and started a local scan on it.
|If possible, have a single point somewhere on your network that allows you to easily isolate systems in case there is a problem (this could be an attack, malware or even just a network traffic incident).|
Confirming the Problem
I was pretty sure that Cryptolocker was malware, not a virus (meaning that it could wreck files but it couldn't infect) but I needed to be sure. I called one of our suppliers who had knowledge of cryptolocker and he advised me to look for the ransom notes in all the folders. There was a html and a txt version called "HELP_TO_DECRYPT_YOUR_FILES.txt" -- though some variants of cryptolocker use different names. They hadn't been there prior to the message but now they were everywhere. If you want to read them, open the text file.... there was too much HTML in the the other file, and it's too risky.
Looking at the properties of these ransom notes, we were able to confirm that all of them were created by the same user. There was only one problematic PC and it was now disconnected.
I already knew that the cryptolocker malware uses irreversible encryption, so the choices were either "pay up" or restore.
If you're interested, paying up was about $400 AUD with a timer set to go off in a few hours that would increase the price to $1,400. They wanted their money in bitcoin.
I know people and companies who have paid up and they have had their files decrypted, so at least these people seem to have some honour. Of course, if you have a decent backup, then it's safer not to draw attention to yourself.
In our case, we have drive shadowing turned on for our main drives which results in them being copied every two hours. It also makes restoration fairly simple.
The process of recovery was still long, but mainly because I wanted to be careful.
Tips and Problems in Restoration
I'm always telling people never to restore things to the same folders. There's lots of good reasons for this which I won't go into right now. We didn't have enough space to restore all of our data at once, so we did it in chunks. Then we copied each chunk over the top of the good data (without overwriting). This meant that if a file was missing (because it had been renamed to .encrypted), it got restored but if a file was new/unaffected, it wasn't overwritten with an older version.
Part way though the restore process, we discovered that the malware had been triggered about three hours prior and that some files being restored had already been affected. Once we'd finished restoring the 10am files, we repeated the process with a 7am copy (which was definitely prior to the email). That way we made sure that all of the right files were restored.
Getting rid of the Rubbish
The last things we did were;
Del *.encrypted /s
On each affected drive letter. This removed the encrypted files. We also did a
Del HELP_TO_DECRYPT_YOUR_FILES.* /s
It certainly helps to know DOS.
As to the infected PC...,
- A complete scan using a current version of Kaspersky took nearly 24 hours and discovered nothing.
- The PC has now been wiped.
Feb 06, 2016
| Recent Blog Posts
How to Duplicate the Mircrosoft Surface Hub's Screen on another Hub|
Tue, Oct 31st 2017 3:58a Gavin Bollard
So, you've got yourself a few Surface Hubs and now you're having a big meeting. Big enough to need to use both hubs together. So... how do you do it? The ProblemIn our case, we have two meeting rooms, each with a Microsoft Surface hub on the wall. The rooms have a removable partition which enables it to be opened up into a large board room. Unfortunately, when this happens, the meeting participants can't always see the "master screen". The ideal solution to this would be to have the di
Getting Started with SharePoint Lists|
Thu, Oct 26th 2017 9:28p Gavin Bollard
SharePoint lists are a great way to build quick "applications" and registers. If, like me, you've migrated from IBM Domino, and you were wondering where the Office 365 development functionality is, this is where it starts. For everyone else, who has never heard of domino, don't worry, I'll explain what SharePoint lists are and why they're a great tool for you. What Are SharePoint Lists?SharePoint lists are essentially a "cloud way" to store data that you want to share and search. Yo
Fixing up those Pesky # Filenames for Importing into OneDrive and SharePoint|
Tue, Oct 17th 2017 6:41a Gavin Bollard
Once you're used to the new way of working, OneDrive and SharePoint are great file storage systems. The biggest problem is getting your files into them. Sure, it's usually just a case of drag and drop but the real problems are related to some tighter controls on the file names. The worst offenders are the ampersand and the hashtag. In fact, it seems to be really common for people to name their files with a hashtag in financial circles. For example: "Invoice No #675853.pdf" OneDrive and Sha
SharePoint works if you start working the NEW way|
Wed, Oct 4th 2017 11:02p Gavin Bollard
It's been a long road from drive letters to SharePoint but I feel quite comfortable in this space now. It's all a matter of perspective -- and of course, resisting the urge to rebuild the old world in the new space. SharePoint works extremely well with files but there's a disturbing trend that I've seen amongst my users. They use Sync to create a local replica of the entire of their SharePoint file libraries on their computers. Apart from being extremely dangerous, this also introduces a
Thoughts on the Microsoft Surface Book 4|
Mon, Jun 19th 2017 9:40p Gavin Bollard
I've spent the last couple of months on Microsoft's Surface Book 4 (i7) and I've had enough time to form an opinion. I generally hate laptops but I've found the Surface Book to be fast enough and easy enough to do the majority of my work on. The touchscreen is very responsive and I love being able to detach the tablet from the base - though admittedly, I rarely have a good business reason to do it. We ordered around 45 of the devices all at once. One was DOA and another had batteries in th
How to Split SharePoint Document Libraries to Simplify Synching|
Sun, Apr 30th 2017 10:54p Gavin Bollard
In my last post, I talked about how you need to split your SharePoint document libraries into smaller chunks in order to synch them. In this post, I'm going to assume that you made the same mistake that I made and put too many documents into the one document library. In my case, I have an IT Team SharePoint site which holds all of our IT documents. It makes sense to keep all our IT documents together. For the most part, the site doesn't need to be synched anywhere because it's mostly a stora
Using SharePoint with OneDrive as a File Server (for Ex-Domino Admins and Traditionalists)|
Mon, Apr 24th 2017 6:33a Gavin Bollard
Over the past few months, I've been looking at a whole range of options to do with file storage on the basis that Microsoft's OneDrive simply doesn't do what we need. The whole time of course, I've been unable to shake the feeling that Microsoft should be offering something that already covers this space. After all, file sharing is one of the major "tentpoles" in most Windows networks. As it turns out, SharePoint is the answer to this - and it works well if it's playing nicely with OneD
Migrating Mail from IBM Notes and Verse to Microsoft Outlook on Office 365 - Part 2|
Tue, Apr 4th 2017 6:14a Gavin Bollard
Last time on Real World Computing, I talked about migrating mail from IBM Notes and Verse to Microsoft Office 365. Now it's time for Part 2. Mail RoutingWe did routing in two parts. Initially we had MX records for both IBM and Microsoft with Microsoft having the higher number (which means lower priority). After the cutover date we switched the priorities so that Microsoft Office 365 had the higher priority. One of the cool things about Microsoft’s setup is that they give you two domains, o
Migrating Mail from IBM Notes and Verse to Microsoft Outlook on Office 365 - Part 1|
Fri, Mar 31st 2017 11:05p Gavin Bollard
It was always just a matter of time. Eventually we were going to have to make the jump from IBM to Microsoft. It's not that IBMs software isn't good. It's very good. It's simply that IBM is the Beta to Microsoft's VHS. Technically the IBM product line is far superior but on the surface, IBMs poor UI will never match the incredible pull of Microsoft's polished Office 365 offerings. We're just finishing a mail migration from IBM Notes/Verse to Microsoft Outlook, which we did entirely in-ho
How to Set up Rooms Properly in Office 365 - Part 2 (Extending Booking Time)|
Tue, Mar 21st 2017 4:01p Gavin Bollard
Following on from Part 1 where I talked about how to get rooms to show up in the room list, here's the next step where we extend the booking time from the default of 180 days. Why is there a limit?In most circumstances, a limit makes perfect sense. It stops employees from booking meeting rooms for years in advance and then leaving the company. In our case, it's actually fairly common to book the meeting schedule up to about 18 months into the future - so the 180 day (6 month) limit is quite r