On a recent Monday, an emergency call came in from a company who believed that they had been hit with a ransomeware attack (cryptolock file), which encrypted their data and instructed them to pay a ransom in order to get it back. They could not access important company documents, all of their digital files actuall, so they asked if we could remove the malicious software and restore from backups. If this is why you are here, call us right away at 602.336.3450.
Ransomware is a type of malware that encrypt files on the system’s hard drive or file-server and demands a ransom in order for the restriction to be removed. Some simply lock the system and display messages intended to coax the user into paying. Initially popular in Russia, the use of ransomware scams has grown internationally. There were over 1,000,000 incidents of ransomware in 2013! The creators of CryptoLocker, a worm that surfaced in late-2013, accumulated an estimated $3M before they were finally apprehended by authorities.
Hijacked by Ransomeware – How?
Ransomware typically propagates as a trojan, entering a system through a downloaded file or a vulnerability in a network. The program will then run to encrypt files on a hard drive or file-server. The malware author is the only party that knows the needed private decryption key. Some ransomware do not use encryption. In these cases, the program is designed to restrict interaction with the system by setting the Windows Shell to itself or modifying the master boot record to prevent the operating system from booting at all.
Scare tactics and intimidation is the primary force used to extort money. The malware may display notices purportedly issued by law enforcement agencies, which falsely claim that the system had been used for illegal activities or contains illegal content such as pornography or pirated software/media. Some ransomware imitates Windows product activation notices, falsely claiming that the computer’s Windows installation is counterfeit or requires re-activation. After the ransom is paid, the thieves supply a program that decrypts the files or they send an unlock code. These payments are delivered using either a wire transfer, premium-rate text messages, an online service such as Ukash/Paysafecard or the digital currency, Bitcoin.
Phreedom Can Help with Ransomeware Resolution & Prevent Future Attacks
This kind of malware delivers some tough lessons, but we can help you through them with the least amount of pain and develop an IT security roadmap for you or your company to prevent another ransomeware attack, as well as similar data security breaches and issues. For a follow-up, contact us here or call 602.336.3450.
Our Experience with CryptoWall Ransomeware
To get back to our experiences with ransomeware, our Service Coordinator, Toni, routed the distraught representative directly to our Level-1 staff who checked out the company’s network and data. There were no active issues with the environment and all systems were responding. At that point the ticket was routed to the Level-2 technician to begin a preliminary investigation.
97 Hours Until Ransom Doubles: The new client provided access to their systems. We reviewed the system and user accounts suspected to be involved in this issue. Anti-Virus and malware detection found no issues or quarantined items. More research of infected folders found a tor_decrypter, which led to CryptoWall – a type of ransomeware that encrypts any files that the user can access on their computer or on the network.
• Found the machine PC1234 to be the culprit – ‘install_tor.URL’ on the T drive
• Engaged anti-malware software (MBAM) – found 122 instances of malware on the M drive
Anti-virus/malware software is not a guaranteed method to protect your business. Company servers can be compromised through vigilant employees. For this reason, good security practices start with “zero access” and gives employees access necessary to do their jobs.
85 Hours Until Ransom Doubles: The damage was done. A significant amount of documents on the server had been encrypted so Luke, the technician, escalated to Sr. Engineering staff. We found that the client had backups, but the backups went back only 3 days. The client was hit 4 days before it was detected, which meant that the backups were also encrypted. Our team decided that, as unpalatable as it was, the most economical course of action was to pay the ransom and obtain the key to decrypt the data.
Be sure to have a backup retention period that meets your business requirements. The standard is 2-4 weeks of backups plus monthly, quarter and annual archives. Many organizations are subject to industry regulations that dictate the minimum retention requirements.
Issue Resolved With 66 Hours To Spare: After we decided the optimal option was to pay the ransom, we chose Bitcoin. The digital currency can be complicated. Bitcoin service providers have weekly limits similar to currency exchanges, and the hackers behind ransomesware know that. Also, the value of bitcoins fluctuates in real time. Nevertheless, Phreedom Technologies is prepared to assist companies in duress and so the bitcoin transaction was completed on behalf of the new client.
The decryption utilities work, which seems counter intuitive. Why would a hacker provide you with a program to recover your data? The simple answer is that it ensures payment from future victims. If word got out that paying the ransom did not result in getting files back, then people would stop paying and the scam would be over. Keep in mind that paying the ransom is a last resort.
Have off-site backups managed by a professional IT service provider that can provide the cloud storage for your data and retention period that matches your needs for long term storage. The cost of cloud storage gets cheaper every day and the insurance it provides can be priceless.
After this incident, this new client engaged Phreedom’s technology services to manageme and monitor backups jobs to our off-site data center. We included training on implications of copying data to backup storage, confirmation that backups meet retention requirements (30 days+).
Phreedom Technologies’ Ransomeware Prevention
We handle over 2,000 tickets a month. Most of them are routine but every so often we run across something like this that is aggressive and stressful for people. We understand the possible escapes and resolutions for ransomeware. We can also help your organization prevent another attack or similar data security issues. Call 602.336.3450 or contact us here and we’ll follow-up promptly.