Ransomware Tales and How To Protect Your Business
In the world of IT support, there is one thing that will send shivers down the spine of even the most experienced and knowledgeable IT support technicians: Ransomware. I have never had a customer get ransomware and have it stay a good day.
A CLIENT GETS CRYPTOWALL
Let me relate a personal experience I recently had: I get a call early one morning from a law firm we supported. Their case management software is saying that the database cannot be found. I log in remotely to their server and check it out. Sure enough, I can’t reach the database even as the administrator, so I dig deeper. As I look in the folder that contains the database to check permissions I run across the dreaded Cryptowall Read This file. The database file has been encrypted. To make matters worse, this particular client had canceled their off-site backups contract thinking it was too expensive for something they never use. I hurry and check shadow copies hoping to find it there, but I am too late. Shadow copies have been deleted by the ransomware virus. For all intents and purposes, my client’s data is gone. And there is only one way to get it back: Pay the ransom.
This is where a seemingly good day turned bad, and well, weird. As I read the ransomware instructions it seems simple enough: Get $700 worth of bitcoins and send it to a specific account number, and once the money is received they will send me the decryption program and key. Turns out, getting bitcoins is not that simple. At least at the time, I signed up for and set up about 5 different online bitcoin exchange accounts only to find out that they only allowed a few bitcoins to be purchased per day ($150-$250 worth). I could not spend 3 or 4 days buying enough bitcoins and leave my client dead in the water for that entire time. Next, I found a listing of local bitcoin dealers. I contacted several and finally heard back from one named Kevin. I spoke to Kevin and we agreed to meet at a local Starbucks. I would bring an envelope of cash, and he would transfer the bitcoins to me. Nothing invokes images of back alley deals gone wrong like meeting a complete and total stranger with an envelope full of cash.
I would bring an envelope of cash, and he would transfer the bitcoins to me. Nothing invokes images of back alley deals gone wrong like meeting a complete and total stranger with an envelope full of cash.
To make matters even more interesting, Bitcoins are an extremely volatile currency. I read online that you should purchase more Bitcoins than you need because the value may change before you are able to make the payment. Luckily I heeded this advice. I needed $700 worth of bitcoins, but I purchased $800 from Kevin. Good thing, because it took a couple hours for Kevin’s transfer of Bitcoins to become available for my use, and by the time I made the payment my $800 worth of Bitcoins was only worth $738. I made the $700 ransom payment in full, and then I waited. And waited, and waited. Some 6.5 hours later, and after a lot of worries that the “honest” hackers who developed the ransomware were taking my money and leaving my client’s data encrypted, I finally got the decryption program. It took a while to run, but I was able to decrypt all my client’s files and get them back up and running.
THE COST OF DATA LOSS
Now, let’s recap in business terms. It took me over 2 hours to get a hold of a local Bitcoin dealer, then he couldn’t meet me until later in the afternoon. By the time I meet him, he transfers the bitcoins to me, and they become available for me to use the business day is over. After that, it takes another 6.5 hours for the payment to be accepted and the decryption program to be released by the ransomware hackers. All told, best case scenario the client lost a day. In some cases, it could easily be more. This particular law firm has over 10 lawyers and countless paralegals. They bill anywhere from $500-$2,000 per hour. According to their office manager, that one day cost them between $50,000 and $100,000.
RANSOMWARE IS GETTING TOO SOPHISTICATED
One last story, and then my main point. Some of my customers have expressed to me that they are very computer savvy. They would not open viruses or ransomware such as Cryptowall. While I agree in principle that understanding the common pitfalls and being computer savvy can help you avoid getting viruses, it is not enough. Viruses, Malware, ransomware, and the computer nerds who make them are becoming more and more sophisticated, and some are backed by organized crime from the more nefarious parts of the world. I had another client get a variant of ransomware, and the way they got it sent shivers down my spine. This client had put up job postings on Craigslist, Jobing.com and more. In response to these postings, this client got an email entitled “My Resume”. Inside the email, it addressed my client by name and said something to the effect of “I am very interested in your job posting. Please review my attached resume.” It was signed by a normal sounding name and came from a fairly normal looking Gmail account. Attached was a Word document titled “resume.docx”. That word document contained a macro that installed the ransomware the second it was opened. Even with all my knowledge and experience in the IT industry and cleaning viruses for a living, I am not sure that I would have spotted that email and not opened the attached document. The perpetrators of the ransomware had data mined the job posting and pulled out the owner’s name and addressed the email to him. They offered a fairly common response to the job posting and offered a copy of their resume for review. Very effective and very scary for businesses everywhere.
TWO IMPORTANT QUESTIONS
As fun as it is to tell the story of meeting strangers at Starbucks to exchange envelopes of cash like an old detective movie, or to tell scary stories of the sophisticated lengths these new viruses and their perpetrators are going to, the reality of the situation is that it means the days of not having thorough and robust data backups and disaster recovery plans in place for your business are over. Every business owner today should be asking themselves two important questions:
How long could my company survive without access to any of our computer data?
How quickly could I recover all my data and be back up and running if a disaster were to strike?
In the case of my client above, one day of downtime cost them tens of thousands of dollars in billable work. They also had to pay me to fix the issue. Finally, it cost them their good reputation with clients that were expecting work to be done that day. All those issues can be overcome, but is it worth it? Furthermore, this particular company had the means to weather the problem. Not all companies would. For instance, what would happen to an accounting firm who got such a virus on April 13th? Finally, it is important for businesses to realize that it is not a question of IF they will get a virus, but WHEN will they get it and plan accordingly.
4 EASY STEPS TO PROTECT YOURSELF FROM RANSOMWARE
Here are four easy steps you can take to protect your company from today’s sophisticated viruses, malware, and ransomware.
Have a current anti-virus subscription. Get away from “free” versions that are not as comprehensive or good at protecting your computers and servers.
Have a minimum of one month’s worth of daily backups. Sometimes clients do not catch viruses right away, and we have to go back a week or more to restore their data.
There should be a copy of these backups on some type of hard drive or storage device on-site. Local copies take a lot less time to restore from because there is no downloading involved. This is key to reducing downtime to a minimum.
There should also be a copy of your backups off-site. Many of the newer and more sophisticated viruses, malware and ransomware are beginning to be designed to search for and destroy backups. It is important as a fail-safe to have a copy stored safely off-site.
These 4 steps are not the only things you can do to protect yourself from viruses and ransomware, but they are the bare minimum. Anything less is asking for major trouble.