Warning!!! We have entered a new, even more malicious, era for ransomware that is hitting mid-market companies particularly hard, with deleted or encrypted backups. The two stories I share below are chilling…
For the last five years or so, ransomware could be described as a fairly traditional automated attack. Trojans are sent out in the form of a bogus invoice, resume, or other seemingly legitimate document. No particular form of phishing for a specific target seemed to be in play. Uninformed or careless victims were self-selected, somewhat randomly, with their system(s) being vulnerable to a particular threat. When the attack payload was delivered, it would execute some code that would start encrypting all the .DOC, .XLS, image files, etc.
Upon completion of the ransomware encryption process, the user would then be informed to pay a ransom, most commonly in the form of a bitcoin—a single bitcoin. At the time, the value was typically around $600, plus or minus a few hundred. The victims were usually people like your grandmother, the three PC dental office, the 300 user small enterprise, or perhaps the division of a Fortune 500 company. I saw all these types of victims and they all were asked to pay one bitcoin. I thought this both odd and fortunate for the larger entities, if you can say anything is fortunate about getting stung by ransomware.
I often thought that as a business model—a criminal business model, but still a model—there was much money being left on the table. And I presumed that these enterprising criminals would soon figure this out as well and start asking for larger ransoms. I write today to tell you that this era has finally arrived…and I am calling it Ransomware v2.0. The following two incidents have recently occurred that paint a picture of this new Ransomware quite well.
Encrypted Backups Caused More Pain for Both Victims…
The day before Christmas Eve, we were contacted by a new client—a national firm operating in all 50 U.S. states. They had been hit by ransomware hard. Not only was everything encrypted, but the backups on mapped drives were encrypted, too. This is a common fatal mistake I see in company backup strategies. Having your backups on other drives on the network, leave them vulnerable to a number of maladies including ransomware. The other backups they had were deleted by the criminals. The ransom request was well over $1,000,000 and there were no guarantees they would get anything back.
At 1:32 a.m. the day after Christmas, an executive from a company hit hard by ransomware contacted us through our website chat feature. We called them immediately, and by 2:30 a.m., we were exchanging signatures on our Master Service Agreement and Non-Disclosure Agreement. This firm had recently been acquired by a publicly traded entity, and they were out of business due to everything being encrypted. For them, too, the backups were gone. They had nothing. The ransom request was $57,000, and again there were no guarantees they would get anything back.
What is different today with Ransomware 2.0?
- In both these cases, the victims’ networks had been compromised about 90 days prior without their knowledge. These criminals are smart and patient. They bide their time well, while learning about the victim’s network. They are identifying and counting servers, they are figuring out user counts, they are figuring out how much data and storage is in place, and they are learning about the backups. These attacks are not executed blindly using software scripts, where grandma’s system is priced the same as the Fortune 500 company.
- Once the inventory is complete, they price out the ransom much like a legitimate software vendor, cloud provider, or other IT vendor would do. It appears ransom pricing is based upon the number of servers, apps, PCs, storage, etc.
- Finally, they plan the strike. This is not just done at a random time after the malware is installed. Instead, they pick a time when the company is most vulnerable—like before a weekend on Friday. This allows the encryption process plenty of time to complete when no one is watching. Cue in on the need for system monitoring services here. An even better time is just before Christmas Eve or on Christmas Day, which is exactly what happened in these cases. In North America, almost all companies are shut down during this time. Encryption can purr away undetected while everyone is away. Once the dastardly deed is detected, it is highly unlikely anyone is even around to help with the recovery—not that much can be done in these two cases anyway. The victims are caught completely flat-footed and without available IT resources. And the pressure to pay the ransom is dramatic.
So how did Victim A and Victim B fare? Not well for either one. Both had considerable downtime. The decryption process seems to take much longer than the encryption process, especially when you are watching with fear.
Victim A did not have much by way of IT resources available to help them, and they had no backups. By the time Alvaka was engaged, they had already paid the seven-digit ransom and decryption recovery had completed. Unfortunately, this event was not covered by any sort of cyber insurance. Alvaka did assist with a number of remaining recovery tasks, but we mainly helped to bolster security so that the likelihood of a reoccurrence is minimized and the impact mitigated. Some of the things done were the implementation of two-factor authentication, segmenting the network, and patching all the servers, PCs, etc. Improving security posture continues at Victim A.
Victim B was a little luckier. It turns out that the crown jewels—their database—had recently been copied onto a disconnected system by their database administrator, as he was doing some work. Some other key data was able to be cobbled together from other sources as well. They did not pay the ransom, and this event was covered by their cyber insurance. Despite not paying the ransom, this was still an incredibly expensive event, not to mention damaging to the company’s reputation. They were down for nearly a week. Like with all major security breaches, it is best to do a full system overhaul to make sure there are no lingering remnants of the malware that can reinfect the system. Three teams worked tirelessly, and nearly non-stop, for the next 120 hours. One team was from the victim company, another from the parent company, and the third comprised of several personnel from Alvaka Networks. I don’t know about the other teams, but the Alvaka team barely slept to speed the recovery. They worked over 100 hours of the 120-hour recovery period.
Forensic work ensues and discussions continue with company lawyers, but there may also be a cost and humiliation of breach notification, in addition to providing credit protection services for over a million people. Those costs may dwarf any IT remediation costs. The system is now back up and running, with a robust backup system that will stymie future attackers. Many other security measures have also been implemented to prevent this from happening again. And, if there is a problem, the extent of the impact will be mitigated.
Planning your security and planning for a disaster event takes time, knowledge, preparation and budget. If you have not given much thought to this process, you are a victim just waiting to happen. As I type this, I have more Alvaka personnel descending upon another new client who has just fallen victim.
At your next meeting, put IT security, backup and disaster recovery, and your insurance programs under scrutiny. If you are not certain where you stand with all of those, then you better get some help. Alvaka Networks is certainly available to assist. We are available 24 hours per day, 365 days per year! Toll-Free: (877) NOC-NOC4 or (877) 662-6624.