- Written by David Guest
- Published: 07 October 2013
In late 2012 it was reported that the Gold Coast’s Miami Family Medical Centre had been the subject of an internet extortion attempt, said to have been unsuccessful although police and IT support companies spent some time analysing the incident.
This appears to be the first recording of a new type of ‘malware infection’ for Australian medical practices. Ransomware exploits have been known for many years but a type of encrypting ransomware known as CryptoLocker has become increasingly common in 2013.
This new breed poses a different threat to what most users are familiar with. Computer viruses typically infect a computer and use its resources to replicate themselves and commandeer the computer's functions for other purposes. A worm's defining attribute is that it spreads from one computer to another across local networks or the internet.
Trojans lie dormant inside a computer until awakened by their controller to undertake one or more of their pre-programmed functions - none of which are good. The usual way to deal with these infections is to run "antivirus" programs to detect and remove the infecting software. These often work… but if they fail, or you want to be sure that the virus has gone, it is best to reinstall the operating system and all programs afresh.
This is very labour intensive.
A more modern approach has been to take a copy of the computer hard drive once all the programs are installed and configured. These copies are known as hard drive "images" and are saved safely in off-line storage.
If a computer is hopelessly infected it takes a lot less time and mental effort to copy the good image over the infected one and have the computer restored to a known good state.
Another approach is to use snapshots or restore points. These are clever ways to record the state of the hard drive at various points in time. The computer notes the files that have changed and in theory one can "turn back the clock" to the last known "good image" of the drive.
CryptoLocker is different. It doesn't really do much harm to your computer although it does try to spread to other computers on your network via shared drives. It is most commonly spread across the internet as a zip file, which users are induced to open under various guises. (The quest for an enhanced penis fails in over 50% of cases!).
Once installed, CrytpoLocker uses strong computer encryption to lock up the personal files on your computer. The files are rendered inaccessible until you obtain the key that was used to encrypt them. The ransom to obtain that key is typically between US $100 and $300. Good images or the Time Machine cannot help you. It is your data that is gone. Your only hope is that you have copies elsewhere on your network (or preferably off) that you can restore. This is also time consuming.
Your only other alternative, presuming you want your data back, is to pay the ransom.
CryptoLocker is quite clear and upfront about what it is doing. Once it has encrypted your files it pops up a large red banner explaining what has happened. It then carefully instructs you on what you need to do to pay your ransom and get your key. The best thing about CryptoLocker is, if you pay your ransom, you get your key. It's so nice to be dealing with an honest extortionist.
Recently two servers at our surgery were infected with CryptoLocker. We didn't pay the ransom and removing the virus was relatively easy. However, as CryptoLocker cheerfully informs you, the encrypted files will be lost forever if you don't reinstall the software, pay the ransom and get the key. The fact that you have 72 hours to complete the process gives IT support the feeling of being in a James Bond movie, minus any enjoyment.
So what are the messages for Australian medical practices?
The first is that if it's a zip file it's a virus. This is so often true that the default for every practice should be never to click on a zip.
The second message is to keep copies of your important files elsewhere, ideally not on a server that can be accessed as a shared drive. There are various solutions to this and your IT support can advise on what is best for your network.
The last take-home message is that there should be nothing on your database server apart from your database and this should only be accessible by system administrators and not be a shared drive on your network.
Thankfully most medical software in Australia uses SQL servers that require their own separate logins and hence are not vulnerable to a CryptoLocker attack. Taking a nightly copy of your database is probably a minimum requirement and restoring that to another server once or twice a month may help you sleep better.
For those interested in the details of ransomware (but not Cryptolock per se) Britec has a good explanation of how it works. (N.B. All .sql and .mdb files on his demonstration machine are set to be encrypted.)