Cryptolocker (also known as Ransomware) involves computer systems being compromised by a Trojan file that encrypts all the victim's content.
In a business environment with network shares and user directories, that can involve a substantial amount of data - even more if the user has "Admin" rights. This type of system compromise has become common and we now regularly see evidence of remnant encrypted data on the systems we examine.
One matter we investigated in early 2016 involved the network connected printer/scanner/photocopier account being compromised through a brute force RDP attack. The business was compromised for five months before it was discovered and only when the attackers left a parting ‘message’ by downloading and executing the Cryptolocker executable. As the device had been set-up with an Admin account all network data was encrypted.
The first port of call in this type of attack is to rebuild the systems and restore the data. Unfortunately in this case we discovered that the backups hadn’t been working correctly for three weeks which meant a loss of three weeks data which had to be manually entered.
Our engagement on this matter related to identifying when and how the compromise occurred, what data (if any) was accessed and taken from the system, how the business responded to the attack, how the business IT service provider responded to the attack and how well the business was prepared to defend against and respond to future attacks.