A Real Life Ransomware Story

I just got off the phone with a friend of mine with an IT company in Chicago and I wanted to share this story, because there’s a lot for you, me and your IT provider in Albuquerque or Santa Fe, New Mexico to learn from in this real life scenario…

My friend, Alan, just started working with a client who got hit badly with a ransomware attack. This was not an automated ransomware virus that sends a program to lock the company’s files. This was an active hacker who targeted this 50-person company, got in and not only encrypted (locked) the files, but they deleted the backups as well. The ransom requested was 90 bitcoin or around $800,000. Ouch. The company looks like they will survive, but what lessons can we learn from this example? Let’s unpack what they got wrong and what they got right:

1. Backups: It’s instructive to note that even though the company was backing up their data, the backups were actually compromised and deleted. The hacker was able to infiltrate the backups because they were not firewalled off from the main network and they did not keep a copy offsite. This was a critical mistake on the part of the company that really exacerbated their risk once the attack began. We always recommend an offsite copy of backups to protect from digital attacks as well as fires and floods.
2. Windows 7 end of life: The company had many older Windows 7 machines, and I can’t emphasize enough that it is time to update these machines. It’s not just a planned obsolescence issue, it’s a security risk. The hackers were able to access stored Admin passwords due to a known vulnerability in Windows 7. That is one of the other major mistakes the company made. We recommend a minimum 7-year PC replacement policy. Longer than that risks major security problems.
3. Insurance:. This is a good reminder that you should already have a good cyber-liability insurance plan in place to mitigate the costs and risks of a successful ransomware attack. This was one thing my friend’s client got right. They had comprehensive insurance in place and even negotiated a lower price with the hackers to get their data unlocked. (If you can believe that!)

You can use this example as a test case to compare your insurance and make sure you have coverage for this real life scenario: Hacker sent a phishing email, employee used a Windows 7 machine to open the malware, hacker gained admin entrance to the network, encrypted all files, deleted all backups and requested ~$800,000 to decrypt.

I hope this is helpful. Let me know if you have a story we should know about.

Thanks,

Jonathan Sandmel
jonathan@steadynetworks.com