Cryptography Viruses

The most common way to know you’ve been impacted with a Cryptography Virus (commonly known as “CryptoLocker”) is a pop-up on your computer screen. It warns you that your data has been encrypted, and informs you that you have a certain amount of time to pay a ransom in exchange for a key to decrypt your files. Once you see this pop-up, the damage has already been done; these viruses are generally programmed to finish running the encryption prior to demanding the ransom. So the question becomes: What should I do?

Check on Backups!

The very first thing that one should do, prior to anything else is to check on the backups. Have backups been running regularly? Are those backups valid and useable? Call your IT service provider and have them check. If they are good and up to date, breathe a sigh of relief—while restoring the data might be time consuming, good backups will make the recovery process possible.

• Isolate the infected computer from the network. You can unmap any network drives or simply unplug the network cable.
• Assess the extent of the damage. What, exactly, was encrypted? Check all areas of your practice management software and look for anything not displaying or not looking correct. Check all regularly used business files including, but not limited to, word documents, spreadsheets, accounting data files (including data files for accounting software like Quickbooks). Any documents that are missing, corrupt, or otherwise not functioning or displaying data as normal should be replaced from the backups.
• Get your vendors involved. Work with your practice management software vendor and IT Company on restoring practice management data from backup files. Once everything that has been corrupted has been restored, the best practice would be to…
• Re-image Computer. The best way to be completely sure every trace of the virus has been removed is to completely wipe and re-install everything on the infected computer. If this is not feasible, do thorough virus scans on the infected computer using multiple different antivirus scanners.

Backups Not Available?

In this case, your options are, unfortunately, very limited.

• Do not attempt to remove the virus just yet. Leave the infected computer as-is.
• Assess the extent of what data has been impacted. If the infection was isolated to a workstation and did not affect any critical patient data or business files, then you can likely just remove the virus or re-image the computer completely—knowing of course that any data that was encrypted at that point is completely unrecoverable! If important data has been impacted, there are unfortunately few chances to get it back. You’ll need to work with your IT Company who could try to recover files.
• Last Resort: Follow the instructions and pay the ransom. This is not to say that paying the ransom is recommended. It is simply the only option in most cases where no backups are available—and unfortunately paying the ransom is no guarantee that the decryption will work. The range is typically from $200-$1000. Again, this is nothing more than a last-ditch option and should only be done if there is no other choice and it is absolutely critical that the data be recovered. Again, it must be stressed that paying the ransom is not a guarantee of data recovery, but it does sometimes work.

The best offense, however, is a good defense, and this is one of the places where defending yourself with good backups is absolutely critical!