It was a Thursday morning and the first presenter of the day opened up the studios and turned on the computers and everything seemed OK.  One computer that runs 24 hours a day crashed in the morning and was rebooted and a message filled the screen.

Your information has been ransomed.

Your data has been encrypted and you cannot recover it unless you pay a ransom.

Phone XXXXX-XXXXX for instructions.

You will pay the ransom in Bitcoins and the longer you leave it before calling the higher the cost will be.

If you don’t know how to pay in Bitcoins or where to buy Bitcoins go to the following website for instructions.

 

This message was only on one PC and the others seemed fine. That seemed strange – was it real or just a fake message from a scammer trying to get a fast payment before people realised it was a hoax. 

In this case it wasn’t a hoax, there had been such an attack.

The presenter reported the problem and was given the advice to remove the network cables from all PCs. (the Internet connection remained on so the station could broadcast)

He started his Live show and everything seemed fine but then the music tracks he had scheduled started to report as missing.

The IT experts arrived and systematically assessed the state of every PC and server and it was clear that while some encryption had taken place and hence those files were unusable, almost everything was intact despite the attackers warning. Only a few PCs had been attacked and the rest were untouched.

However, one PC had been ruined by the criminals – everything had been encrypted.

Several other PCs had encryption processes still running after the Internet connections were pulled and these were stopped.

The Managing Director made the decision not to pay, even if it meant taking losses, on principle.  Also, the incident was reported to the Police.

The Mode of Attack

The next step was to determine how the attack had taken place.

This is where the website https://id-ransomware.malwarehunterteam.com proved very useful as you can upload an encrypted file and it identifies which ransomware variant was used by the attackers.

It was identified and unfortunately is one where there are no decryption keys available on the Internet as there are for some variants. 

The variant of the ransomware also gave a clue that the attack was likely through the firewall rather than by email or other means.

A scan of the relevant firewall showed that the FTP and RDP ports were open. The criminal’s means of attack was via the RDP port and the remote control software installed on several PCs. This made sense as it explained why they could only get to a few computers and not the rest – only the ones with remote control access installed.

Now the experts knew how the criminals got into the systems, it was easy to block on the server and the broadband firewall and delete the remote control software.

The Recovery Process

Now the bad guys could no longer access the systems, it was safe to start purging the encrypted data and restore from backup.

While that continued, checks on the server logs showed the bad guys had tried to guess the FTP password but gave up quickly. However they had run a programme to throw a dictionary at the server login in an attempt to get the password. Tens of thousands of attempts failed. This shows the benefit of having a strong password (i.e. unguessable).

 Systems Status

  • The criminals route into the systems had been identified and blocked
  • Recovery of encrypted files from backup was in progress
  • Only one PC had been damaged in the attack and it was replaced by an old backup computer.
  • The Radio Station had continued to  broadcast throughout the attack so listeners had not been affected
  • The Police had been informed
  •           No personal or confidential data had been compromised so there was no need to report the incident to the Information Commissioner

Key Lessons

1.       Comprehensive regular backups are absolutely essential, including off site backups

2.       Any connections to the Internet must be well protected

3.       Only run systems and services through an external firewall if essential and ensure these are well protected

4.       Ensure all security patches are installed ASAP

5.       Take regular security audits

6.       Be prepared for such an attack and plan for how to deal with the aftermath

Remember that IT security is not a one-off event, it is an ongoing process – so keep your security processes up to date and test them.

For an introduction to ransomware, look at https://fightback.ninja/ransomware-what-is-it-2/

Or at https://www.fightbackonline.org/index.php/guidance/12-explanations/19-ransomware-what-is-it-and-how-do-i-protect-against-it

Do Share this post on social media – click on the icons at the bottom of the article.


Articles on Fightback

Comments