Invoice scams are on the rise and with them the deadly threat of Ransomware infection, read on to find out how to spot the fakers and avoid very painful consequences.
Last week a local business gave us a call after one of their computers was locked down with Crypt0l0cker ransomware.
The business owner had received an Email purporting to be from AGL Energy, one of their suppliers, about an outstanding account; and had forwarded this onto the accounts payable team. Unfortunately, this particular invoice came bundled with Crypt0l0cker which, when the infected link was clicked executed a program which, then proceeded to encrypt the user's files.
Crypt0l0cker is a form of Ransomware that infiltrates and infects computers typically via infected email attachments masquerading as invoices, speeding tickets, parcel tracking etc.
These Ransomware infections are often localised to add credibility. For example, in Australia they often come in the guise of the Australian Federal Police, Australia Post, or utility companies such as Energy Australia or AGL.
As a process, Ransomware typically runs in the background, sometimes for several days depending on the volume of files, and only reveals itself when the encryption process is complete, by which point there is no way to recover the encrypted files; and, as such, it can be difficult to determine when the infected really hit.
As with all Ransomware, Crypt0l0cker spreads quickly to other networked computers, online file repositories like Dropbox and OneDrive; and any attached storage devices.
What Crypt0l0cker looks like
In this case, Crypt0l0cker was able to encrypt all files on the team member's local computer and, as many of the businesses files were stored on a shared Dropbox which was set to automatically synchronise, it also encrypted all files on the Dropbox including: Word documents, spreadsheets, PDF Files and most critically the majority of the MYOB accounts and backup files.
Whilst there are decryption tools available for some strains of Ransomware, in this instance they did not work.
To prevent Crypt0l0cker from spreading to other devices, when the customer called late in the afternoon we had had them disconnect all devices from the network and shut them down; and we were onsite first thing in the morning to remediate the situation. Once on-site the first step was to neutralise the ransomware on the infected computer and, keep the machine in isolation as, after ensuring Crypt0l0cker was neutralised, we backed up the few non-encrypted files to off-line storage.
We then had to re-image the machine, where there were some added complexities as the Computer was actually a MAC running Windows, via the inbuilt dual-boot capability (Bootcamp), and the underlying MAC OS had to be updated before we could complete the rebuild of the Windows image. The customer also took the opportunity to have us upgrade them to Windows 10 during the remediation.
We then brought the system up-to-date with all appropriate system drivers and installed a more robust and reliable security solution before reinstalling all applications.
After ensuring the recovered files were not infected, we re-instated and tested them; before giving the other machine a once over. Fortunately, the main computer had been off-line on the day the accounts computer was infected which prevented the Ransomware from infecting it; however, to be safe, we still performed the appropriate due-diligence to ensure that the device was not infected, and created an offline backup prior to upgrading the security software and bringing the unit back on-line.
Last but not least we advised the customer on a backup strategy and recommended that they report the crime to the Australian Cybercrime Online Reporting Network (ACORN).
In this instance the customer did not have a current direct backup of the files, which required us salvage what we could (email and the main MYOB data-files) from the infected machine and we were also able to recover some additional files from the Personal Computer of the accounts manager, backed up a few months prior, which had a snapshot of the shared Dropbox account prior to the Ransomware taking effect.
The fake invoicing scam that led to this infection has been rampant in recent weeks and without proper defenses, and no reliable backup, left the business exposed resulting in significant data-loss and financial losses in the form of re-work required, and remediation of the affected devices.
Three practical ways to minimise the risk of infection, through these invoicing scams:
- Ensure a robust Internet Security solution, with Ransomware protection, is properly installed and configured on all computers.
- Have a reliable backup strategy, and ensure that backup drives do not remain connected to the computer.
- Establish processes whereby any emailed invoice requests are passed to your bookkeeper / accounts team and cross-checked against a list of recognised suppliers with any unrecognised accounts discarded. Even with recognised suppliers, double check the originating email address, do not click any links in these emails, and ensure you scan any attachments with your antivirus prior to opening. If in any doubt, call the supplier and ask them to confirm the invoice number and amount and who sent the invoice.
If you have found this article interesting, please don't forget to LIKE and SHARE.
© (c) Excalibur IT Solutions - 2016