The Trinidad Express, a daily paper in the Republic of Trinidad and Tobago, had found itself essentially locked out of its own production system – SCS/Track – unable to pick up electronic print ads from one edition of the paper to the next. Unbeknownst to the paper, it had been infected with a variant of the CryptoLocker virus – a piece of ransomware that encrypts computer files so that they are made inaccessible to their owners until a monetary ransom is paid the virus’ creator.
CryptoLocker emerged as a new online threat in 2013, infecting Windows-based computers by means of email attachments disguised as innocuous files that are actually malware. A recent, high-profile case involved a California hospital that was locked out of its own medical records system for 10 days, until it paid a $17,000 ransom. Due to CryptoLocker’s success at extorting millions of dollars from its victims, a number of copycat schemes followed.
The one that hit The Trinidad Express was known as the .Micro File Virus, so named because the files that it infected were tagged with a .micro file extension, according to Michael Grabowski of SCS, who was tasked with helping rescue the paper from its predicament.
“The reason they couldn’t do pickups is because you would try to do the pickup and [SCS/Track] would show you all the source and destination files, but all the source files had ‘.micro’ extensions,” Grabowski said. “As soon as I saw that, I pretty much knew that it was some variant of a CryptoLocker [virus].” Further investigation revealed that the paper’s shared file directory of current ads “had about 8,000 infected files in there.” These were classified and retail display ads, many of which would have to be rebuilt by the creative services team unless Grabowski and The Express’s IT team could isolate the virus and recover the files. It was either that or the paper would have to pay a ransom and hope the cybercriminal responsible for the virus provided a key to decrypt the infected files.
Halting the Spread; Restoring from Backup
Once he had identified the problem, Grabowski, working with his IT counterparts at the paper, disabled sharing on the directories found to contain infected files, preventing further spread of the virus. Next, they found and isolated the machine where the virus originated, and while the local IT experts “did all the cleaning of it and wiping of it” with anti-virus software and updated virus definitions, Grabowski used a nightly backup to restore files to a state before they became infected. “Certainly there were some files from that day [which didn’t exist when the backup had been performed] that may have been lost – there would be nothing much we could do there – but we got 8,000 files off the backup,” Graboswki said. “I would say for the most part, there might have been a little work they had to do to recover, but it seemed like they had most of their stuff back that they needed at that time.”
Marlon Villarroel, an IT associate at the paper who worked through the crisis with Grabowski, said the virus couldn’t have happened at a more inopportune time – on a Friday, after 5 pm, local time. “Fridays are our busiest time throughout the week, because [we] have to prepare for the weekend publications as well as the publication on Monday morning.” He reported it took only 5-10 minutes to enlist SCS’s support after the paper’s initial plea for help, and “we were able to rectify the problem within two to three hours.” The recovery effort “pushed us back a little bit, but it wasn’t serious or critical,” he said. “We were able to continue work as normal after that.”
“It was good to see [that SCS was] able to respond so quickly,” Villarroel said. “Thank God that we had a backup of these files and Mike was able to restore [them] from the backup.”
Grabowski acknowledged: “It was no ride in the park, but I was pretty happy, given the circumstances, what we were able to recover.”
In addition to the initial recovery, it took about a week, according to Villarroel, to tie up all the loose ends associated with the event, removing “all those residual files that the virus will create” and securing the entire network against re-infection. “Michael was very patient with us, and we appreciate that,” he said.
Grabowski said it helped that The Express had competent IT support on-site to work with him, noting that a lot of smaller papers have outsourced or otherwise lost their in-house technology resources. “Getting in touch with the outsourced people make it very difficult to get anything done, because in an emergency state like this, I need feedback from the site right away,” he said. He noted that it was “concerning” to him that many of the third-party IT companies that newspapers hire for outsourced IT expertise are unqualified, struggling with simple IT tasks. “It’s like major surgery for them.”
“When you’re working with the same person over and over again” – like Marlon or his colleague Sheldon at The Express – “they’re going to get it done,” he said.
For papers with limited IT resources, SCS has shifted to a subscription-based model of providing a broader range of “Managed Services” in support of its suite of advertising solutions and the hardware on which they run.
Grabowski also pointed out that the up-to-date versions of its software – also subscription based now – are less vulnerable to CryptoLocker-style attacks than earlier perpetual-licensed versions that some of its existing customers are still using. Specifically, anyone on Version 2 or less of SCS/Track is more vulnerable to these attacks, and anyone on Version 3 or greater is safe, by virtue of a change in the way files are shared.
“The newest version of SCS/Track has significantly beefed up resilience to malware across all platforms,” said Richard Cichelli, president of SCS. Windows-based servers and Windows workstations, he noted, are more susceptible to malware attacks than, for example, a Linux/Scribus-based system. “We support, but do not recommend, having Windows-based servers being used along with our applications,” he said. “We have had to go to extraordinary means to protect our customers’ data when such platforms are part of their configurations.”
Grabowski said that SCS has had “two other significant instances beside [Trinidad] where this has happened” - both involving Windows-based platforms. SCS’s normal subscription services cover all recovery activity in cases such as these.
Originally published 02/29/2016