Drilling Company Survives a CryptoLocker Attack

By Liz Landry

LEAM Drilling Systems is a directional drilling company based in New Iberia, La., with eight additional offices throughout the United States, and approximately 850 employees. We plan wells and implement directional and horizontal drilling programs. Throughout any assignment, constant communication has to be maintained between our management teams, customers and field supervisors.

Up to 100 remote users log on to the main network at any given time to access company files. Our network currently has 700 gigabytes of data and uses Dell’s PowerConnect switches and  SonicWall NSA firewalls. Given the nature of our business, the necessity of maintaining good communication in the field and the value of the data on our network, downtime is not an option.

For peace of mind, we use a Western Digital Elements 1TB USB 3.0 external hard drive for one-time archival export of the file server image. We also use Dell PowerEdge R710 servers as hosts, Dell PowerVault MD1200 for direct-attached storage, and Microsoft Windows Server 2008 R2 virtual machines running on Microsoft Hyper-V 2008 R2.

Paul Hite, CTO at InfoTech, our managed service provider, warned us about the CryptoLocker ransom Trojan, but it entered our network through a malicious email attachment. Our spam filter initially caught the email, but because the infected message was so well-designed,  one of our users thought it was an important business-related message and released it from the spam filter.

Once CryptoLocker found its way into our network, it started encrypting files. We never saw the red screen that most people see when CryptoLocker hits them. Rather, we noticed odd behavior on the server, such as corrupt files. We used monitoring tools to isolate the infected computer before the virus was able to encrypt all the files on our network.

Fortunately, less than one month before we were hit, InfoTech had installed a new backup, disaster recovery and business continuity solution called Datto Siris on our system.

We also use a Rosewill RX-DU300 USB 3.0 hard-drive dock with Seagate Barracuda 7200rpm 3TB—a combination of a hard-disk-drive dock and a bare bones drive—so we can perform an on-the-spot roundtrip at any time and overnight it to Datto. This reduces our turnaround time in the event we have to reseed for any reason.

Once notified of the attack, Hite shut down our network and file servers and started a virtual backup from a system snapshot. The infection started on a Wednesday just after 5 p.m. We noticed the problem on Thursday morning and spun up the 5 p.m. image, so there was very little data loss. A few files had already been corrupted in that snapshot, but we were able to recover those individually from earlier snapshots.

The Datto appliance was doing hourly snapshots, but if we had been running only nightly backups, the Wednesday night backup would have been toast. We would have had to use Tuesday night’s backup, losing a day of work, and it might have taken us days to get our network back in working order.

When the weekend arrived and the need for immediate access to the data slowed down, the InfoTech team put all the data on an external hard drive, using an archived version stored in Datto’s secure cloud. They went through the entire system and made sure everything was 100 percent backed up.

With a copy of our data in the cloud, our worry about data loss has been relieved. In fact, after the episode with CryptoLocker, we haven’t had any data losses. Plus, we did not have to pay the ransom that’s typically required to restore encrypted files, thereby besting the CryptoLocker authors.

With 700GB of data on the line, what could have been a severe disruption to our business turned out to be a huge success story.

Liz Landry is vice president−administration at LEAM Drilling Systems, which provides directional and horizontal drilling services to the oil and gas industry.