Crypto Locker and Backup Issues

The new version of Crypto Locker opens a new window of fear on Corporate Data and possible Data Losses. Here a few thoughts about the backup policies.

Today I was reading on Linkedin an article about Crypto Locker virus spreading in the wild last week. We actually faced this kind of viruses few months ago, and luckily the solution was found with a Dr. Web hack (please note, this is not a bad thing) that allowed to decrypt messages.

Things gets worse as this time it appears to be a counter that destroys all the data after 100 hours from infection.

I have not (yet) read the bulletin about the virus itself, but my concern actually falls on the backup policies implemented in organizations. I must admit I am not really a fan of NAS backup solutions as the only backup solution within a company. And this virus exactly is the reason why I am not.

Now assume you got the virus, and the virus opens up all the shares that your computer have as mapped drives or cached in its memory. Or, worse, if it scans for open shares and starts crawling among them. I wouldn't be surprised to find a future version of this virus doing so.

So you have your backup... encrypted by a virus. What's the point of having a backup on an online system? This is, in my opinion, a way to put at risk the entire organization data to a catastrophic Data Loss Scenario.

Tape backups or, possibly, a cloud based backup solutions should really be considered when talking about backups. The misconception that RAID systems and/or mirroring files on an online system are valid backup solutions is roughly put at risk in this scenarios, where live (online) data are still accessible and potentially at risk. Remote backup solutions, like Cloud ones, usually have (or should have) some second or third tier of backup on offline media, i.e. tapes. Whatever bad the virus is, it can't contaminate data that resides on an unloaded tape drive.

*update*

Apparently the CryptoLocker virus finds and encrypts using a mixture of RSA and AES algorithms the following file extensions: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c

For the less expert this means: E-Mail files (technically anything from Outlook to Windows Mail), engineering documents (AutoCad), images, certificate files (Digital Certificates and Signatures), Excel, Word, Access files, SQL Server data files, among others. As far as I can see, it's pretty destructive.