27 Sep A day in the life of a business ransomware victim
Ransomware is a nightmare come to life.
It is bad enough to come to the realisation that your system has been penetrated, but the second blow in this terrifying one-two punch comes when you are suddenly locked out of certain files.
Some victims of hacking, phishing and ransomware compare the experience to being assaulted due to a sense of violation to their privacy that comes along with the act. But unlike a lot of other types of cybercrimes, victims of ransomware are not immediately made aware that their systems have been compromised until they start trying to open files that have inexplicably been encrypted. The following will attempt to give an account of how the day of a business ransomware victim usually unfolds.
As employees and management file in for the day and fire up their desktops, laptops and office devices they will undoubtedly engage in the usual small talk with their neighbours in the adjacent cubicles and offices.
They may even check phone calls and get the days work organised and arranged. After their bout of socialisation and organisation they are ready to get underway. They login in the typical fashion, just like they have done everyday since they started working for the company. They open the typical applications and folders as they have done countless times before. Browser. Email client. Folder A. Folder B. A list of schedules. Nothing out of the ordinary. That is until they try to open an individual file and find it locked or encrypted. Baffled by this, the employee tries to open the file multiple times and even restarts their system (just in case). At their wits end, they engage their friendly neighbourhood IT department. Unbeknownst to them, they were not the first person to encounter this problem today, and they won’t be the last.
By lunchtime, the IT department is beneath a mountain of unresolved tickets. The overwhelming majority of them claims that the employee is not able to access one file or another. Is there something wrong with the network? Network is fully operational and working at optimum capacity. Is the file, folder, drive or server corrupt? No, they are all fine and dandy. What about viruses? Workstation anti-virus programs have not been triggered and triple checked according to security protocols. Intrigued by this, IT managers and technicians begin to look at the bigger picture and note that the files are not just locked away but are rather crypto files. They look closer and cryptolocker warnings were issued.
Later that afternoon, under pressure from management and employees alike, the IT team is frantically trying to come up with a resolution and somehow decrypt the files. And that’s when it happens. A popup window appears on the screen of all devices that were trying to access the encrypted file. A message is on the window and states that if a sum of money (mostly in the form of Bitcoins) is not deposited into an online account in a certain amount of time, the files (usually confidential or private in nature) will be either deleted or released to the public.
The business can now officially label this situation a ransomware attack. To make matters worse the fraudsters have initiated a counter, and presumably when it reaches zero, action will be taken on the locked files.
Now that they know it is a ransomware attack the folks over at the IT department now have something to go on. Knowing that ransomware takes advantage of current information, the technicians try to restore an older version of the data. For most SMB (small-medium businesses) backups are usually done by plugging in an external device like a hard drive or USB drive. The process is actually pretty simple and all it needs is for the device to be plugged in. However, it can be the case that the drive has not been removed from the desktop or server for quite some time. It is uncertain how long the cryptovirus has been lying dormant in the system. Did it infect the system before or after the last recorded backup? What if the virus has already spread to the contents of the drive itself? Are you willing to take the risk to find out?
EOD, end of (business) day, and the files still cannot be accessed. IT is still frantically searching for a backup that is guaranteed to not contain the cryptolock virus, but are unsure how far back the infection goes. They try to determine if they have any online storage services that a copy of the backup has been uploaded to. Cloud file syncing services like Dropbox, Box and Google Drive can serve as relatively safe repositories of system backups. However, if a backup containing the cryptovirus was uploaded to the cloud it just increases the range of potential infection, as the cryptovirus can now be spread over multiple devices.
The clock is literally ticking and the entire IT team including the C-suite executives are feeling the heat. No company ever wants to issue a statement that not only has their system been compromised but also that they have been locked out of critical files or data. Imagine the damage to their reputation, the media backlash, the loss of trust that their clients would feel. This doesn’t include the loss in future revenue and you can be rest assured that these concerns and many more are running through the minds of the CEO, CFO, and the entire IT management team.
With the clock running down the options have to be laid out on the table; pay the money and hope that the criminals honour their end of the deal or, don’t pay the money and risk losing valuable data. It seems like a lose-lose situation no matter how you cut it, and it has never been an easy decision for all businesses that have been subject to this crime. As with many scenarios, preventing the crime before it can ever take place is likely the best solution.
Ransomware exploits the fact that many businesses simply do not backup their systems, drives and data. Many businesses “keep all their eggs in a single basket”, as the saying goes, and never move files beyond the drive they currently use.
Then there’s just poor security measures (if any at all). In order to ensure that your business would be a poor target for ransomware attackers, you should strive to add filtering policies to both email and web. Doing so aids in the initial penetration of your system.
The best anti-virus you can afford is never a bad investment as anti-virus programs usually update themselves so that the list of recognised threats is always growing. If nothing else, backup your data. Using an online backup service that can hold 30 days retention at the minimum should be at the top of your priority list. Making sure that employees (even those in the C-suite) must be educated in the latest threats in the industry and their vectors of attack.
If this sounds like too much for you, your team or even your business to handle, there exists IT support London companies that can help bring your SMB business the support & security and peace of mind that you need. These are seasoned professionals with years of experience and have their thumb on the pulse of the latest developments in technology and threats like phishing and ransomware. Let them do the heavy lifting (identifying weaknesses in your security, implementing new security and maintaining it), while you do what you do best and that is to run, and grow your business. Your focus should be on servicing and growing your client base and not running wires, installing patches and preventing attacks.
Latest posts by David Share (see all)
- Achieving HM Cyber Essentials through Self-Assessment – Part 3 - November 1, 2017
- Amazing Support answers CompTIA Cyber Essentials Pledge - October 23, 2017
- Achieving HM Cyber Essentials through Self-Assessment – Part 2 - September 26, 2017