Recently we had a business owner come to us asking for help recovering their files from a ransomware attack.
Just a quick refresher - ransomware is a type of malicious software designed to hold a user’s files (such as healthcare records, financial contracts, software codes, and other documents) for ransom by encrypting them and demanding the user pay a fee to decrypt them. In 2017 ransomware was the threat that monopolized security discussions and sat at the top of every IT security professionals watch list. Last year headlines were dominated by ransomware attacks from WannaCry and Nyetya. This year attacks are decreasing in volume but increasing in sophistication (Barkly), but are still finding their way into the headlines with the SamSam malware infection that periled the city of Atlanta in April 2018.
This particular organization had a critical server for their business accessible on the Internet over Microsoft Remote Desktop Services to allow users to access this machine remotely for a real business need. We believe remote desktop services was the attack vector. When the system was compromised, all files except critical windows files needed to actually boot were encrypted and there was just a note to email the scammer to decrypt the files. There were no backups of this machine, which left no real way to restore the files without the decryption key. With no backups to use for restoration our team did research and try all known ways to decrypt the files without success. Unfortunately, there are a lot of variants of this particular ransomware out there and a solution for one didn't necessarily work for the rest. With no way to decrypt the files and no backups available the business was forced to pay the ransom for the decryption key.
The challenges with paying a ransom - outside of morale opposition - include payment options (most scammers prefer bitcoin which is difficult to buy quickly if you don't already own it), the risk that the scammers do not send a decryption key once payment is received as well as the risk that the decryption key does not decrypt all files. In this scenario bitcoin was already available for payment, the hackers sent the decryption key (even though the was no recourse if they didn’t), and the key decrypted all files with a few exceptions…enough that the primary application would not launch and required a reinstall, but the database was intact. All things considered this is a best case scenario for a ransomware recovery, but this attack could have been prevented by simply implementing 2 factor authentication to stop unauthorized users from accessing it, or by putting this server completely behind the firewall and using a VPN solution to access internal resources.
Two-factor authentication, firewalls and VPN are only a few solutions we recommend to protect your network from ransomware attacks. A few best practices to reduce your risk of falling victim to a ransomware attack are:
Security tools and data backup measures we recommend to help protect your network from a ransomware attack are:
Increased awareness, improved security measures and reliable data backups have all contributed to ransomware's decline, but we still do see organizations that don't have the appropriate backups and security measures in place to protect themselves from an attack. If an organization without data backup is breached the only thing there is to do to get the data back is to pay the ransom to the attackers. This is why it is critical to backup your data, even if you have the security tools in place to help protect you against a ransomware attack - no one is completely invulnerable. We encourage anyone reading this blog to go and do a quick check of your security systems in place and to make sure your data is backed up.
Written By: Eden Reid, LookingPoint Marketing Manager