Ransom Attack

[flacvabeach]

Last week our business network was hit with a ransomware attack. One of our company officers was looking at resumes for prospective employees and opened an attachment on an email response from a Craigslist ad. The attachment was in.zip format and as soon as it opened she knew something was wrong. Within minutes, critical files on the computer were encrypted and unusable. In addition, files on other computers that were shared on the network were also encrypted. The computer screen was filled with instructions on how to pay a $1000 ransom to buy the decryption software that would return everything to normal. The payment method is in bitcoin through untraceable networks so the jerks at the other end are completely anonymous and untraceable as well.

The ransom attack targets specific file types that such as .doc, .pdf, Excel files and graphics files. Why graphics files? People don’t want to lose family pictures and will pay to get them back.

What do you do? You and your “IT guy” can’t crack the encryption, so you are faced with either paying the ransom or finding a way to live without them… UNLESS you have a backup. Do you? We use Carbonite on our critical data and it may turn out to be a blessing. Immediately after the attack, we found out that the machine in question had not been backing up for the past 45 days! Why? We’re still not sure, but it’s not a total disaster because we want to get back a lot of the old files. We also learned that as soon as you find out you’ve been hit, you need to freeze your backup, otherwise Carbonite starts backing up the encrypted files. Also, immediately power down the infected machine and disconnect it from your local network before powering it back up again.

My biggest fear was losing our Quickbooks files, but to my surprise the attack didn’t include them. But it did get our Excel day reports for the gas station and C-store and it destroyed the data in our car lot’s dealer management system, mostly PDF files. Fortunately that machine had a current backup in Carbonite. Thanks to our backups, I was able to make the decision not to pay the ransom, but I have now spent four days cleaning machines, attempting to take the machine that was attacked back to ground zero, updating files with old backups. I’m not done yet and will spend at least part of tomorrow working with the dealer management system people to get the car lot up and running again.

Monday night and everything is working again if your are willing to accept the loss of some data, and, believe me, I am. I sit here thinking that it could happen again tomorrow and I haven’t really prepared my defense, but I willl be working on that, believe me.

[mspecperformance]

HOLY CRAP! Thanks for sharing, time to back my stuff up!

[mmotley]

Pretty scary story. I know we've probably all heard it, but try to avoid opening anything that looks suspicious. avoid .zip and .exe files that get emailed. One suggestion might be to use gmail to open these resumes going forward. If it's truly a document type file, gmail should be able to handle that in the browser itself. Also, you might try opening them first on your phone if possible. Yea, you could brick your phone, but a new cell phone is cheaper and less of a headache than a new shop computer.

 

*EDIT: I just re-read your post and saw that it was a .zip file. I would immediately hold a meeting or at least send out an email blast to everyone in the company saying to never, ever, under any circumstance, open a .zip or .exe file that you receive in an email from someone you do not absolutely 100% trust. A .zip or .exe from and unknown source is almost guaranteed to be a virus of some sort.

Edited July 27, 2016 by mmotley

[lmcca]

more importantly, training. It would have prevented it.

[Alex]

I always suggest to use an up-to-date internet security suite like Nortons and have browser protection enabled. It should warn you and sniff these things out.

[FROGFINDER]

Remember that the internet is a bad part of town. Be wise as a serpent and harmless as a dove.

[bstewart]

I always suggest to use an up-to-date internet security suite like Nortons and have browser protection enabled. It should warn you and sniff these things out.

 

http://www.cbc.ca/news/technology/antivirus-software-1.3668746

Unfortunately, this is pretty much false in this day and age.

There are a vast number of articles everywhere about security software giving you a false sense of security.

Technology, specifically malware linked to organized crime, changes way too fast for security software to keep up.

While I'm not saying security software is 100% useless, it's definitely outlived most of it's usefulness. (not to mention it's a drain on your wallet for something that doesn't work well)

 

Your best bet is to keep regular backups, keep your operating system, browser and software patched and up-to-date, and USE COMMON SENSE!

Don't EVER open a .zip or .exe file in an email! Don't open any email attachment unless you are expecting them!

Don't get lulled into a false sense of security!

[Marksas]

I have used this training, there are 3 basic classes totally about 1.5 hours. it's inexpensive and very informing. It also allows you to test your people if your emails are all the same domain. They are very helpful and easy to work with. I signed all my staff up as well as techs and family members.

 

https://www.knowbe4.com/