~ Or: How to mitigate the impact of having all your data locked up by nefarious people
A little over a year ago now, the server at my primary place of work was completely locked down by a ransomware attack. The attack was swift. Upon infiltrating the system, it only took them roughly 16 minutes to run a script that encrypted over 160,000 server files. Everything.
As a result of that event, I feel a strong responsibility to be a cautionary tale for anyone else who will listen. So this week is a variety of things. Everything from history to current events to specifics of my experience.
I generally like to keep things lighthearted here in the blah(g). This week is not going to be that.
The reason I’m writing this entry is as both a suggestion and a warning. Ransomware attacks are only going to get more sophisticated and frequent as technology gets better and security gets more lax. Many folks reading this are likely running solo businesses as entrepreneurs. They don’t have IT departments. They ARE the IT department. I’ve been a full-on computer nerd my entire life and I often don’t think about this stᵫff as much as I should. I’m guessing there are many of us who may not be aware of the risks. Or mitigation measures.
So! My job today is to provide information to more effectively protect you the reader against this kind of nonsense. Because bathrooms are supposed to be for relief, not sitting fetal on the floor.
History of Ransomware
The first currently acknowledged and documented ransomware-style attack goes back to 1989. Floppy disks (remember those?) were mailed to attendees of the World Health Organization AIDS conference in Stockholm of that year. It alleged to be a questionnaire to help determine the risks of contracting AIDS, a very hot topic of concern at the time. 20,000 floppy disks were distributed to 90 nations in total.
Users of the floppy disk discovered that instead of a questionnaire, they ultimately installed a virus on their machines. The virus locked them out, displaying a note saying they needed to send $189 for single recovery or $378 for lifetime support to PC CYBORG SUPPORT at a PO Box in Panama, and requiring funds be via bankers draft, cashiers check, or international money order. The criminal was eventually apprehended but the cat was out of the bag. The idea of successfully holding a computer hostage for money was born.
Really, it’s that simple. Someone found a way to infiltrate computers and lock users out until receiving money.
Now that we know the origin, let’s look at the evolution.
Why is Ransomware So Appealing To Criminals?
The answer to this question is probably the easiest. Ransomware attacks are appealing because the tools are easy to get and free to use. They lean on using automated scripts so that you can hack while you sleep. If you hook a big fish company somewhere and they pay up, the amount of money acquired is enough to survive on for hundreds of years. Some of the people initiating this are in poor countries and a million dollar ransom paid by a power company will mean a life of unparalleled comfort and luxury.
In a sense, it’s about survival. It’s a job. And it just happens to come with a bounty so high not even The Mandalorian could not pass on giving up The Asset for it.
Because that end goal involves so much money, the motivation is extraordinarily high to succeed. Much higher than the motivation of an overworked IT person who has done nine 18-hour days in a row trying to keep angry people happy and failing because people are unreasonable. There’s a motivation imbalance and it’s just plain too easy.
Ransomware as it Currently Exists
The internet as it exists today is a vast, wide open frontier for so much amazing opportunity. Businesses thrive. Information sharing bustles. The idea of content is real. Entertainment streaming is king. Memes propagate.
Worldwide connections. Like a warehouse full of people with open arms, ready to embrace a new stranger every second. And in order to ensure that embrace, it is as easy as possible to accomplish without restriction.
This is how ransomware thrives unabated. Unimpeded. Unfettered. Other words that start with ‘un’ to mean without effective restriction of any kind. Here is the current skinny.
Current trends
Ransomware relies on several things to be possible. Among them are lax security, wickedly crafty email, even telephone calls. These are things that allow for infiltration to be as easy as a hot knife running through butter. Butter on toast. Or an English mᵫffin. Because really, bread products are just a vessel for eating butter. Without being judged.
Sorry, off track.
Let’s chat about those trends in a bit more depth. Here we go!
Telephone Hack Attempts
You know the telephone call that informs you that “Your Microsoft has been hacked” or “Your computer is running too slow?” Several YouTube videos chronicle the end-result of these types of calls and they all lead to one place: the end user installs a software so that the representative from “Microsoft” can remote into the machine and “fix it.”
Except they’re not fixing it. They’re installing enough nefarious hacker virus infiltration software to drown an elephant. With this hackery in place, they now have access to your computer – and any other computer in your network – at will. Will it lead to ransomware? Possibly. Will they use your computer’s resources to contribute to their evil schemes in a world-wide network of other infiltrated machines? Also possibly.
History of phone scam attempts
The use of Alexander Graham Bell’s: “The Telephone” as an infiltration means is not new. Everything from demanding bank account details from elderly people in the middle of the night because someone broke into their account* to being told there is a confiscated package at customs and border control with drugs and money addressed to you**. Or your social security number is disabled. A child who calls you “Grandma” is in a panic and says they’re in jail, waiting for you to say your grandchild’s name so they know the name and can proceed with the scam***.
The recipe is simple. Identify target demographic. Create compelling script. Call the victims. All of them. Every single last one of them. Success in numbers. It continues because it works. Now it’s an evolution that permits computer infiltration.
* this happened to my grandparents. thankfully they told my mother the following morning so they could close the account. 18 months later, my mother was notified by the bank that someone attempted to drain that old account.
** i’ve gotten the customs and border control call no fewer than six times this last week. they’re fun to mess with but seriously, it gets old after a while.
*** my mother gets this one regularly. the fact that they are able to get kids to participate in it is CHILLING.
How the Pandemic amplified opportunities
One day you’re going to the office. Minding your business. Coffee in hand, reading an article about people getting sick and a scary spread of a sickness. The article talks about an elder care facility near Seattle that has an outbreak. But maybe it’s ok? They’re not sure. All you want to know is if you’re still on for bowling on Friday night.
Except there’s no bowling Friday night because the nation locked everything down and every employer is now scrambling to get workers functioning remotely.
On the one hand, the degree to and speed with which companies pivoted and were able to get folks into their servers and working from remote was admirable. Borderline legendary. Unthinkable a week prior.
On the other hand, the speed at which this took place was a result of “Just get them into our system, we can figure out security later.”
And the opportunity for what was once a small ransomware threat skyrocketed to stardom in a single day.
It was the equivalent of inviting every employee in a 10,000 person company to a stadium for a work party and telling them to not bother locking their cars, they have a security guard.
Because really, if there was an IT person at the company in question – or maybe even two – their hands were completely full of attempts to keep remote workers from getting angry at working with systems that weren’t designed for remote work. Focusing on potential ransomware attacks was not on their bucket list. Especially when orders from higher up were to prioritize employee satisfaction and ease over anything else.
High Profile Examples
It seemed like no stone was left unturned in the mad dash to exploit this new and exciting opportunity. Here are some of the higher profile ransomware attacks that took place in 2020 in the wake of lockdowns and the loosening of security.
- Grubman Shire Meiselas & Sacks – This law firm represents a whole battery of international celebrities like Madonna, Lady Gaga, Niki Minaj, Bruce Springsteen, and on. Almost a terabyte of private documents were taken. That is a lot of documents.
- University of California San Francisco – An example of how healthcare data is the pinnacle of what companies will pay a ransom for, the UCSF School of Medicine got hit and critical data locked up. While they were able to isolate the server that was hit and prevent it from spreading throughout the network, they still had to pay US$1.14 million in order to receive a decryption tool that would retrieve what was lost.
- Cognizant – This multinational IT company was hit and hit hard and is considered one of the largest ransomware attacks of 2020. The company ended up booking somewhere between 50-70 million earth dollars in losses as a result of the attack, with downtime of roughly 3 weeks.
If anyone happens to remember the T-Mobile hack of not too long ago, the individual responsible for that went on record saying that the security was so lax in their systems it was almost as if they walked in through the front door and nobody cared.
Easy and profitable. Difficult to track and prosecute. Least agonizing decision of all time to make.
Steps You Can Take Right Now to Make a Ransomware Attack Less Awful
When I say “right now,” what I actually mean is “RIGHT NOW.” Almost to the point of please stop reading or listening to this thing right here and go DO ONE OF THESE THINGS. Since it might not be practical to cease and desist right in this moment, I’m going to share a few of the bits of advice I collected in the wake of my own experiences.
- Back your things up. Follow the 3-2-1 rule. Three total backups, two different mediums, one off site. Three actual full backups of some kind. If you don’t have three backups, you don’t have one backup. Two different mediums: hard drives are great but the spindles can fail. Thumb drives are great too but solid state can fail. The likelihood of ALL of them failing at once is low. One of your three backups should be off site. The cloud counts as off site.
- Review router/server logs. Look for suspicious connection attempts. Start blocking if you see widespread attempts from outside your region. Unless you’re IN Turkey, it’s likely nobody FROM Turkey needs to be connecting to your computer.
- Grant administrator access to your systems to as few people as possible. Seven administrators on a system with weak passwords can be problematic. Plenty of infiltration points.
- Fewer passwords and more pass phrases. Including upper case, lower case, numbers, symbols. Gremlin9$ is ok, but GremlinDriversAreHipsters99#% is better.
- Update operating and security software once a week. Software companies are fast to respond to new threats and exploitations but you have to be just as fast at updating your systems before you find out the hard way why that patch was necessary.
- Reduce the number of attempts before locking an IP address out for X number of hours. My system at work locks out for 6 hours after 4 attempts.
How My Own Ransomware Story Played Out
Here’s a bit of a timeline of what went down at my own workplace. Loosely, at least. I don’t remember all the specific dates and have blocked many of them out of my head for reasons.
The morning of
Getting into the office and starting up the accounting software. Business as usual. Except the accounting software wouldn’t load, said it couldn’t find a module. Called support and asked them to take a look at it. They called me back and asked if I was at the server machine and I said no. They told me to go to the actual server and look and see what they were seeing.
Every single file had a new extension. The extension was the name of the organization that hacked our system. Over 160,000 files. In 16 minutes. Terrifying to think about.
The demand
There was a text file note in every folder with instructions on who to contact for further details. I made that contact and they offered to prove that they could supply a file to decrypt everything on the server. I sent them two encrypted files and they sent them back decrypted.
The cost? The bitcoin equivalent of around $25,000.
Anybody like gambling? If not, this is not the section for you.
I gambled.
We do not possess that kind of money. We can’t pay. They counter offered with the bitcoin equivalent of $10,000
Countered with $2,000 US earth dollars, and they said no, that’s too little, and I said very well, good day.
A day later, they wrote back and agreed to the terms. The payment was made, we received the decryption tool, restored almost all of our files – several were corrupt – and enlisted the services of a white hat hacker to get into our system and see what damage was done.
More damage
In addition to file encryption, the entire system was riddled with spyware for the possibility of further nefarious activity.
The registry of Windows Server had been altered beyond repair. New server software install. And to this day it doesn’t work nearly as well as it used to.
The time between when they walked and when they came back was a full day. A full day of hand wringing, weeping and gnashing of teeth, and knowing that I was responsible for the entire thing.
Infiltration notes
Our white hat hacker friend saw that there had been thousands upon thousands of attempts to break into our server on a daily basis. Starting in February of that year. We were successfully hacked in August of the same year.
Scripts. They are run, set and forget, and eventually they work. Brute force password guessing. Passwords were not strong enough. They are now.
Our systems are not setup in a traditional server way. Instead of using the server to control the entire network, it sits on the network for file storing and application sharing. Because of this, none of the other machines on the network were hit. Not every company is lucky enough to have an inept IT guy like me running things.
Shutting This Thing Down
It is now over a year ago. I’m not ever forgetting what happened. I speak as often as possible about the virtues of strong data protection. Backups. Security. Monitoring. These are all the hallmarks of a good system for preventing nasty things from happening.
At some point we’re installing a hardware firewall box. We presently unplug all internet connections every single night. It would be nice to not have to do that each night!
Daily log reviews. Backup is once a week. Nerves are still high. We’re through it.
My mission is to advocate for how important this stuff is so that not a single other small business ever has to go through it.
Looking to shore things up? Contact me! I’ll gladly share everything I’ve ever learned.
Don’t wait. Get after it now.
Pitter patter.
Until next week.
-= george =-