In March, the world woke up to the news that one of the leading Insurance companies in the USA, CNA, had suffered a ransomware attack from a variant of CryptoLocker ransomware called Phoenix CryptoLocker. The ransomware, which is believed to have been deployed by the hacking group Evil Corp, impacted their online services and business operations.
Two months after the attack, CNA Financial announced this week on May 13 that they had now been able to restore their systems from the CryptoLock ransomware attack that happened in late March.
The attack on CNA Financials by CryptoLocker ransomware is a wake-up call to veterinary practices to prepare for the ever-evolving ransomware attacks. The best way to prepare for such an attack is for practice owners to know every facet of the impending attacks by understanding the ransomware, its origin, how it attacks, what we can do to prevent an attack and how we can recover from such an attack.
CryptoLocker ransomware origins
CryptoLocker ransomware’s first known attack occurred from 5 September 2013 to late May 2014 and targeted computers that run Microsoft Windows as their default operating system.
Cyber criminals spread the CryptoLocker ransomware through email phishing, where computers got infected after downloading an infected email attachment. It also relied on the Gameover ZeuS botnet to propagate the virus worldwide. The botnet contained a network of malware-infected computers to which cybercriminals had access to. This created a perfect environment for a large-scale ransomware attack.
As time went by, governments around the world realized that they needed a united front to curb the spread of the CryptoLocker ransomware, resulting in the formation of Operation, which included participants such as the U.S. Department of Justice, Europol, the FBI and the U.K. National Crime Agency and South African Police Service.
In late May 2014, Operation Tovar was able to take down the Gameover ZeuS botnet, bringing to an end months of CryptoLocker ransomware devastation. However, the ransomware continued to exist and is still used to date, with the latest attack coming in March where CNA Financials was attacked.
How does CryptoLocker ransomware attack?
As a veterinary practice owner, understanding how your computer systems will be compromised if attacked is a crucial part of the puzzle in preparing how to respond to an attack.
The ransomware is spread through email phishing attachments that appear to have been sent by a legitimate company. The email contains a zip file attached, which, when opened, contains an executable file disguised as a PDF file.
The CryptoLocker ransomware takes advantage of Windows ability to hide file extensions of files and disguises the executable file with a PDF icon, making it harder for potential victims to notice that the file they are clicking may be a virus. It is also spread using the Gameover Zeus Trojan and botnet, which attacks potential victims’ computer systems stealthily and can hibernate in the computer until it is activated by the cyber criminals.
Once installed, the ransomware attaches itself to the user profile and can write a registry to startup applications, therefore starting automatically every time the WIndows OS is opened. It scans through your computer system, including all connected devices in the network and starts encrypting files and folders in the network. The entire process can take hours or even more than a day, and during this period, the CryptoLocker ransomware stays in an incubation period.
As soon as the encryption of your computer system files is complete, CryptoLocker notifies its victims that their systems have been hijacked and all their important files such as photos, videos and documents encrypted. They then send you a Bitcoin wallet or other forms of payment for you to pay in order to recover your files and folders. The payment window is also timed, meaning that if you do not make the payment during the agreed period, all your files and folders will become destroyed. It becomes harder to get rid of the message since the CryptoLocker ransomware attaches itself to startup applications.
Preventing CryptoLocker attack
CryptoLocker ransomware attaches itself to user profiles. Therefore, users who have a lot of privileges in a network are more likely to cause the most harm.
To prevent maximum damage in case of a CryptoLocker ransomware attack, practice owners should ensure their networks have different restriction access depending on who is using a computer, limit the scope of what the ransomware can attack and encrypt. This also ensures that potential risks from both internal and external exposure of CryptoLocker ransomware are mitigated. This means if your practice management system asks you to give each computer user account full admin rights. You need to push back. Making sure your staff is logging into the computer with a standard user account. Thus limiting the damage CryptoLocker can take against the network.
Your next line of defense as a practice owner should be your antivirus and anti malware programs. Always ensure that your antivirus and anti-malware programs are updated with the latest security feature. CryptoLocker is easily detected by anti-malware programs because, in most cases, it attaches itself to a computer systems registry, as shown below:
In case you are in doubt and you suspect that your computer system may be under attack by the CryptoLocker ransomware, notify your IT and security administrators to help you troubleshoot your network. This will save you valuable time and help you respond appropriately.
The other thing you need to do is avoid downloading email attachments that look suspicious, even though they seem to come from a genuine source. Almost all malware attacks are propagated through email phishing scams. This method, though old, is effective and cyber criminals always bet on the gullibility of their potential victims.
Responding to CryptoLocker attack
Sometimes even with the best security features, you can still be attacked and your computer system compromised. In case that happens, it is important to respond appropriately to the threat, otherwise, you will lose all your files and folders.
Your first line of defense during an attack is your antivirus and anti-malware programs. As a practice owner or veterinary practitioner, you should not ignore your antivirus warning. Immediately after an attack is launched, most antivirus programs are able to detect Cryptolocker and offer an option to scan your computer and delete the file. The appropriate action should be to allow the program to scan your system and delete viruses.
In cases where you are not able to catch the CryptoLocker ransomware fast, it means that your system has already been encrypted. The only way to recover your files is through your backup systems. This is why it is always recommended to keep an external backup of your files and folders because you never know when a strike will happen.
CAUTION: Never pay or even consider paying ransomware cybercriminals. Doing so makes you vulnerable to future attacks. You are also not assured of your system being restored after paying the cyber criminals. You may also be funding organized crimes and terrorist activities, which can have legal implications on your veterinary practice or on you as an individual!!
If your veterinary hospital becomes a victim of ransomware
If your veterinary hospital becomes a victim of a ransomware attack liek CrytoLocker. Use the Lucca Veterinary Data Security 6 step guide to start the recovery process.
The best defense is a good offense
Its best practice to have a good cyber security and data protection plan in place. With the Lucca complete cyber security suite you can protect your hospital with ransomware proof backups for as little as $350 a month. This includes our ransomware specific workstation protection for each workstation and server in your practice.
Schedule a FREE consultation call today to see how Lucca Veterinary Data Security can protect your veterinary hospital.