Learn About Our CCSK X CCSP Training Week

Ransomware goes mainstream: A cautionary tale

JBS, Colonial Pipelines, FujiFilm, The City of Baltimore, Ireland Health Service and according to an eSentire report, 290 other companies have been hit by ransomware attacks in 2021. At least until June 10th, the day this article was published.

It’s not too surprising that companies mostly try to deny they paid ransom, but what is kind of interesting is that many deny they were victims of a ransomware attack at all.

I guess this is the old “never let ‘em see you sweat” approach?

The fact is, this denial ultimately leads business leaders to a false sense of security in that it makes some executives believe it can’t happen to them.

I guarantee that it can happen to you.

Here’s a little story to drive home that every company, small to large, is open to attack…

A close friend (I’ll call him Larry to protect his identity) owns a fabrication company. He uses computers for general corporate stuff and CAD drawings. He has a local server, detests the cloud as he feels it means that others will have access to his data.

The local server is about ten years old, maybe more, and is running an outdated Windows Server. He has a firewall that’s about ten years old as well and uses free antivirus software on his workstations.

IT support is outsourced to a service provider. All in all, pretty much a typical micro business.

One day, he gets an email from a supplier company he does business with. The email says it’s an invoice and has an attachment (A PDF, I believe).

He’s suspicious, but it’s coming from a supplier and he’s received invoices this way for a long time. He opens the email attachment, it says there was an error opening and as you can suspect, this is where the fun begins.

Not too long afterwards, Larry sees all of his desktop icons are now blank and a message is displayed saying that all his files are encrypted (but safe!).

He asks his assistant, and she has the same thing happening. Checks the server and yup, everything is encrypted.

He’s officially a victim of ransomware.

Was it a targeted attack? Read on…

Larry says “I’ll beat this guy! I’ll just restore the data from the backups!” Oops, the backups are stored on the 10 year old server because the cloud can’t be trusted.

Yep, the latest backups are encrypted as well.

He remembers he did a backup a couple of months ago onto a USB key. It’s not ideal, but at least it’s something. Too bad the USB key has failed and he can’t access anything on it.

The bottom line: he’s screwed (excuse the pay TV language).

Before we get to the attacker’s demand, you’ve got to appreciate that Larry’s company is very tiny.

Like 5 people-small. 2 of them use computers, a couple of welders and a driver.

Do you really believe the ransomware group targeted such a small company?

Nope. They compromised a partner company and then sent copies of the malware to everyone in their email system.

Should this partner have sent out alerts? I would have, but others take the old “never let them see you sweat” approach, I suppose.

Back to the attacker’s demand.

Larry tells me he’s open to paying upwards of $1500 to just make the problem go away as soon as possible. Although he could just start from scratch as he uses his PC mostly for CAD designs, immediacy comes from the fact he has to file an annual tax return in two days or face penalties in excess of $1500 (he confirmed this by calling the tax department and was told “Not my problem. Pay on time or pay penalties”). He reaches out to the attacker via the email address they so kindly supplied on their notice.

The demand comes back. $50,000. Now Larry is freaking out.

He starts reaching out to everyone he knows. Some tell him to pay the ransom, others say don’t pay as the attacker will just take the money and run.

He decides he’ll negotiate. He offers $2500. The attacker counters with a lower demand of $25,000.

Interesting…they’re open to negotiation.

Larry counters with $7500. The attacker comes back and says no more games. $7500 is the lowest if he pays today, $10,000 if more than a twelve-hour delay.

Larry pleads with the attacker. He tells the attacker that they have to understand they are a small Canadian company, Covid has hit them pretty hard and they honestly can’t afford to meet their demand. He hits ‘send’ and waits for a response.

The response comes in. It’s a single line of a bunch of characters and an attachment.

He calls me and tells me what just happened.

Of course, being a fairly paranoid person, I immediately think it’s a trap.

He opens the attachment and it contains step-by-step directions of how to use the key to decrypt all of his data.

WHAT?!?! What the heck is going on here?!

He gives the attack a sob story and the cost of the decryption drops from $50,000 to $0?

I tell you, this guy has an angel on his shoulder…Or does he?

He follows the steps and the decryption fails. Too good to be true I suppose.

He reaches out to the attacker to say the key didn’t work. The attacker says “oh, my bad…here’s the right key. Reach out if you need any further assistance!”.

This guy has pivoted from being an attacker to the friendly help desk technician who is working for free! Larry uses the new key and bingo! Everything starts decrypting. The only loss was a server hard drive. The IT company he was using told him it probably failed during the encryption process.

Aside from that drive, there was zero loss of data.

After recovery, I pointed out cloud storage options to Larry.

I tell him that if you store your data in a cloud, even just backups, many providers offer “versioning” which would likely stop this from every happening again, as if a file is modified (e.g. encrypted by ransomware), a new version of the file is created and updates are made to the new version.

Rolling back from a ransomware attack is trivial. It can be as simple as clicking a checkbox to recover.

A no-brainer, right?!

Which cloud storage service did Larry choose?

None. He still doesn’t trust the Cloud.

I just shook my head and told him that hopefully the next attacker is as nice as the first one.

The worst plan for a ransomware attack is no plan at all

Here are some key takeaways from this story, which I hope will motivate you to keep from being the protagonist in your own, cautionary tale.

Ransomware is not always targeted. Whether your team has five or fifty thousand employees, you’re fair game.

Also, you likely only hear about 1% of the actual number of attacks.

Not having functional, offline backups is pretty much asking for a disaster to occur. Data security includes backing up your data.

Even if you have the backups, there may be a time issue with restoring everything. Data recoveries need to be planned ahead of time to minimize lost productivity and business.

Don’t let fear of the Cloud keep you from adopting it. Cloud storage can help small companies immensely in recovering from a ransomware attack, saving time and costs.

Lastly, if you are a victim of a ransomware attack, feel free to reach out to me for Larry’s phone number so he can negotiate on your behalf.

Posted under:

Graham Thompson is an Information Security professional with over 25 years of enterprise experience across engineering, architecture, assessment and training disciplines. He is the founder and CEO of Intrinsec Security, a leading training company that is solely focused on delivering leading authorized IT security training from partners such as the Cloud Security Alliance, ISC2, ISACA, EC-Council and CompTIA.

CCSK | CCSP: The Industry’s Leading Cloud Security Certifications - learn more

Upgrade your Skills. Secure your Potential.

Our experts provide hands-on and on-demand training that helps IT and data security professionals meet today's cyber security challenges and prepares you for a successful future.

Training Schedule Contact Us