Ransomware

Hey Gary,

Did you see this thread from a couple of weeks ago on training on phishing attacks? http://forums.techsoup.org/cs/community/f/29/t/41884.aspx

I didn't realize Mitnick had taken his skills and used them for good. Looks like a cool company.

Hi Gary,

Sorry for the slow response.  I don't get around here much anymore.

I've had four ransomware referrals in the last two months. All were the  "Send us $5200 in bitcoins and we'll unencrypt your terabyte of files" variety

Disturbingly, all four networks were pretty well set up.  RAID arrays, redundant servers and storage, multiple backup systems to multiple media, business-grade anti-malware utilities, cloud and local backs, firewall, etc.  All were designed to protect from just about any hardware, software, human or environmental disaster including the hypothetical "office burns to the ground" scenario.

I was able to restore nearly all the data in all four cases but was touch and go a couple times.  I learned that ransomware infections are sufficiently different from other attacks that they need to be addressed separately.

In the case of the biggest network, the redundant drives, servers and attached storage were all for naught because every storage location was encrypted at about the same time.

The cloud backup was also useless.  I don't particularly like cloud backups because it can take days or weeks to repopulate a large drive array.  But it's cheap, polished, and this one included versioning so it's a safe bet, right?   Wrong. Despite the professional-looking weekly reports of how thoroughly everything was backed up, all half million files were corrupted in under 30 minutes.

So you go with an earlier version, right?  Wrong. Attempting to do so produced a message indicating that all previous versions are stored, by the backup utility, on your local hard drive by means of shadow copy.  Well, there was a glitch in the system.  I'm not sure if it was caused by the virus or a generic conflict between the backup utility and Windows shadow copy (the utility's website has a full page of known conflicts,, none of which were visible to the local admin.) but the result was that all previous versions were gone.

As it turned out, the CFO of the organization had a spare workstation at home and would RDP into the server twice a week to download an updated set of data files via good old Robocopy.  He had always wanted to have someone set up a VPN and automate the process but had never gotten around to doing it.  In hindsight, a remote server visible via VPN would very likely have become infected, or at least would have had its data corrupted.  That workstation not only preserved the data, it also provided single-user access to it almost immediately, while I straightened out the servers.

Other stuff:  The AV companies were of little help,  Their software hadn't detected the malicious files or stopped the damage.  I was able to clean out the infections "old school" by using Process Explorer and Autoruns to identify and kill the rogue processes.  I then sent the suspected malware files to the companies for analysis.  It took from two to six days before those companies produced updates that would identify the signatures.

Another problem with AV/security software was that some are very complicated. In some cases, important settings are very difficult to find.  One proudly shows some ransomware settings, but then has additional ransomware settings in a different location, many menus and drop downs away. And although central settings prevented users from uninstalling the software, they are still able to disable important add-ins for the browser or e-mail client. Every single setting must be checked.

On the human side, I have noticed that management and staff are far more rattled than they are in connection with other IT emergencies. Uncertainty about point of entry, exact nature and extent of damage , whether or not the computers are truly disinfected, etc., causes some bizarre behaviors.  One person franticly said they should start backing up to the cloud, even though I had just explained that his cloud backup had failed.  Another was convinced that all of his data was lost forever even though I calmly assured him that the hard drive I was holding in my hand had a complete and undamaged set up files. During the restoration process, management will make all sorts of promises about getting better stuff, putting more restrictions on users (There's little need to be shopping for shoes on Russian websites) and overall improving security. Within 30 days, they will have forgotten all those plans and will be right back where they started.  And that's not an idle claim. Today I'm at an office restoring servers that I restored from a different ransomware infection about five weeks ago. Oh well.

The standard configurations for my regular clients, in addition to bullet-proof backups, are now going to put more emphasis on what I can do to make  an organization's data accessible (with applications) ASAP even if it's only accessible to one person at a time.  That relieves a lot of stress and gets people off my back so that I can do what I need to do. :)

-ENO 

I would love to be able to refer nonprofits to a tip sheet on how (and why) to protect your nonprofit's data from ransomware. I know some churches have been hit here in the PDX area in the last few years, and I think they paid. My husband's company, not a nonprofit, got hit, but had the proper backups and was able to restore. 

Hi Jayne, our non-profit uses a company called knowbe4 to train our users in avoiding phishing attempts. It has made our users vigilant in not just clicking on anything that hits their inbox. The cost is minimal and it offers insurance in case your company gets ransomware.

www.knowbe4.com

Hope this helps.

Gary