Rolling Backups: The Cure to CryptoLocker
Doug White is Lead Maintenance Engineer at Cloud9 Real Time. We sat down to ask a few questions about CryptoLocker, his experience with it, and how Cloud9 helps clients recover their data with rolling backups. What’s CryptoLocker? Read about what it is and how you get it.
How long have you worked at Cloud9 Real Time?
I’ve been at Cloud9 two years. I was a Senior Systems Administrator and then became Lead Maintenance Engineer. I now oversee all maintenance at this point and am one of the more senior guys on the tech side.
So, we’re here to get your perspective on something called CryptoLocker. What exactly is it?
CryptoLocker is a relatively new form of something we like to call “ransomware”. What ransomware does is it holds your data hostage. There are multiple criminal organizations out there that have figured out a way to hold personal and corporate data hostage through a variety of software exploits. The simplest way these exploits are activated is through email. Some of these are pretty easy to identify as malicious; however, others that are pretty crafty.
For instance, you might receive an email with a subject line that reads “Receipt from Joe’s Italian Pizza”. Now, there’s a 99% chance you didn’t actually eat at Joe’s Pizza the previous night, so naturally you’ll be intrigued to know if someone got a hold of your credit card or whatnot. If you open the email it may even have an itemized list of purchases. These of course are fake – the whole email is fake – and is designed to get you to either click on an embedded link or download an attachment.
These malicious emails get even more clever though. I’ve seen emails that are constructed to look like official, legal documents. It might be a subpoena, warrant, or contract. Anyone would be surprised to receive something like this and naturally be more alarmed than suspicious.
What makes it different from other types of viruses that have been out there forever?
Yeah, there have always been viruses. I still remember back when the internet first started there was this legend of a virus that would completely destroy your hard drive if you clicked on the wrong thing. It sounds scary, but it really isn’t possible.
Most viruses when they infect your computer might make it slow, they might make it crash. Some of the botnet stuff, you might not even know you have it and your computer will only be slow at certain times. The end-game of a virus is to spread as far and wide as it can.
So technically, CryptoLocker isn’t a traditional virus at all – it’s more accurately defined as piece of malware. It doesn’t try to spread. Once it hits whatever it’s on it simply unleashes its payload…and there go all your files. It encrypts them, making them unusable and inside all of your folders will be instructions on how to send a ransom payment to unlock them.
So what happens when you pay the ransom? We’ve never advised any of our clients pay the ransom. If you pay and they don’t give you the decryption key, then you’ve lost money. They (criminals) also may think, “Hey, they gave us $100. Why not try to get $1,000 more out of them?” I mean, what’s your recourse – are you going to call the Better Business Bureau to file a complaint?
Why is malware like CryptoLocker a relatively recent phenomenon?
Uh, well it uses BitLocker – Microsoft’s built-in encryption. So it wasn’t until Windows 7 that Windows had built-in encryption capabilities. But what it really boils down to is just being a smart, knowledgeable user. Ransomware can largely be avoided by not clicking on or opening the wrong things. I have this conversation with customers all the time. They ask, “Why couldn’t you guys prevent this from happening?” The truth is that there’s no such thing as perfect security. Even the most robust security is subject to the human error factor. A big part of the equation is users being diligent, saying, “I’m not so sure about this email – maybe I should just delete it and move on with my day.”
Is CryptoLocker a Windows exclusive virus? Yeah, it seems to be. At least for now. Most stuff targets Windows, because it has a big market share. Also, there are just so many applications that they exploit and find vulnerabilities for. Most Windows machines are going to have Office, Flash, Acrobat, Java – and if they’re not kept up-to-date you’ve got some potential security exploits waiting to happen. Even if they ARE kept up-to-date, there’s still a potential. Whole criminal enterprises and black markets are devoted to finding these unpatched vulnerabilities.
What’s at stake for a company that’s affected by CryptoLocker?
We’ve seen a lot of stuff over time. The biggest implication of a business affected by CryptoLocker is that they are pretty much locked out of their server and its contents. Even if it’s just for few hours, this can cost some companies untold amounts in revenue and undermine their reputation.
But yeah, if you weren’t prepared for something like this with rolling backups, we have clients that are storing decades worth of financial information – without the ability to bring everything back – it’s lost forever. Without a disaster recovery plan, some businesses could be permanently crippled. I mean, in certain industries companies are required to keep financials and other records for years. When you think about the implications something like CryptoLocker could have – it’s pretty sobering.
Do you see specific targeting taking place? Are newer or older companies at more risk?
Honestly I think they just target everybody. They just throw a lot of links out there and hope for a few bites. There’s always a new iteration, a new virus being put out there. As they get more clever, more people take the bait.
It’s a cat and mouse game. Fortunately, at Cloud9 we’ve rolled out some pretty effective software security in our servers. We filter most threats right out, patch things up quickly, and conduct rapid updates to minimize open vulnerabilities. In most cases we catch and remove threats before they even end up in a customer’s email inbox.
I often wonder, where do all these emails go when they die?
To the ether. (laughs)
So how has Cloud9 positioned itself to take on these new types of threats, and ones yet to come?
Well, we’re always improving and working to increase our level of end-point protection – not only on our servers, but in applications across the entire cloud environment. Beyond that, it’s all about just having a good backup solution. Your backups are all great in theory until you actually have to use one. That’s when you find out if they’re good or not. I’m confident in saying that our backups at Cloud9 are about as sure as it can get.
How do rolling backups work?
Well, our servers are essentially virtual machines. With our environment you basically have your host computers that are the compute side. They’re just CPU and RAM. Your Disk and storage is all on storage areas network – Nimble storage devices in our case. The backups are basically on the storage device level. Every night it takes a snapshot of the entire data store. So, if we need to roll back to that point in time we can pull that out and turn it live.
How often can you make these backups?
Our standard plan is nightly with 30-day retention. We do offer all kinds of enhanced plans that allow customers to keep monthly backups for up to a year or that create multiple backups per day. There’s a lot of options. It’s really just up to what the client’s needs are and what they want.
Are there any other benefits to rolling backups besides as a contingency against CryptoLocker?
Definitely. Rolling backups mean more than just strictly full-scale disaster recovery. Our customers take advantage of rolling backup capabilities in some really practical ways. For instance, it could be as simple as we get a call from a customer who says, “Hey, I think Bob accidentally deleted a file. I haven’t seen it since mid-December!” We can go back to that time to restore it if it indeed was there. Usually, people utilize our rolling backups in this simple, but powerful way.
How long does data recovery take?
The way we do our backups allows for a fairly swift restore time. Our SLA (service level agreement) says our target for recovery is 4 hours. However, I’ve restored a server to a prior night’s backup in as little as an hour. A lot of other companies would take much longer, but at Cloud9 we’re all about getting the client back in business as fast as possible. That’s why we’ve invested a lot in resources that give us these industry leading capabilities.