Atomic Data's Blog on Ransomware

“Atomic Data Service Desk, this is Anders. How can I help you”?

“This is [redacted] from [redacted]. I think we have a virus on our network. Can you look into it?”

The customer on the line was frantic, hurried. She was speaking to me on the phone as she instructed one of her employees to run a virus scan on their server. She informed me that files on several of their shared drives were quickly being converted into unreadable, unrecognizable file types in the guise of media files.

I remote connected to the server in question. I tried to launch some of the files but they weren’t a recognizable file type. I asked if she had any guesses as to where the apparent attack originated. She stated that only three employees had access to all the effected drives. And she turned off file sharing in the hopes of stopping the virus from spreading. She gave me the names of the employees.

I turned file sharing back on in order to investigate the personal drives of the employees. The first drive I dug through seemed wholly unaffected. No encrypted files, no note. I moved on to the next drive. Files were encrypted throughout and there, at the bottom of the list of folders and files, was a text document “XxInstructionsxX.” I opened the file to make sure it was what we were looking for. It was a ransom note. It detailed who and how to pay in order to decrypt the files that had been compromised.

“Found it,” I told the customer. “It’s on [redacted]’s machine. I turned file sharing off again. “You need to pull that machine off the network, pull the power as well.”

“Oh, no. Really?” she said. “Okay.”

I heard her run—necklace clanging and bouncing, breath heavy as she kept the phone to her ear. She arrived at the office of the employee whose computer had been compromised. While she was on the move I alerted my Service Desk Level 2 technician, who then grabbed the attention of an On-Site engineer.

“Crap. She’s in an interview,” the customer said.

“Gotta pull the plug,” I responded.

I heard her knock and open the office door simultaneously. I heard her mumble what was happening between breaths. Then “click,” the Ethernet cord was out of the workstation, “thud,” she pulled the power as well.

I logged out of the server to give way to the engineer. He had already connected to assess the damage. Thankfully, the customer was quick to realize something was wrong and call the Service Desk and have proper security groups in place through their Active Directory to limit the amount of access the employee’s computer had to the network. I informed the customer that an engineer would be in touch with her shortly. She said “goodbye” and I said “good luck.”

The customer I talked to was informed on security best practices, but her employee was not. She had an itchy trigger finger—too willing to click on an email attachment sent from an unknown email address or the latest viral video from a website that she mistakenly deemed upstanding. One wrong click and the company, not just one user, potentially lost days, months, or even years of data. So simple. Not safe. Not smart.

In my time on the Service Desk I saw a few Ransomware attacks in progress and heard about many others. Ransomware, a form of malware that encrypts files and demands payment in order to restore the files, is wildly prevalent and attacks are on the rise. According to PBS, ransomware hackings in 2015 bilked over $24 million out of companies and private users alike. http://www.pbs.org/newshour/rundown/5-ways-to-become-a-smaller-target-for-ransomware-hackers/

The latest targets of choice? Small businesses, hospitals and clinics. Many small businesses don’t have the proper technical support they need to defend against such attacks. And the switch to Electronic Health Records has created a juicy bullseye on establishments that have time sensitive needs related to client’s files. Thus, these businesses often decide to pay the ransom rather than risk being without the files for an extended period of time while their computers are restored from backups, or worse—they don’t have backups and need to decrypt their files in order to function. 

She had an itchy trigger finger—too willing to click on an email attachment sent from an unknown email address or the latest viral video from a website that she mistakenly deemed upstanding.

These situations can be easily avoided. Don’t open email attachments or click on links in emails from senders you don’t recognize. Regularly backup your computer and files. Keep an antivirus client up to date on your computer. Most simple antivirus/anti-malware programs will stop potentially unwanted programs from downloading or installing on your computer. However, if you are a victim of a ransomware attack—don’t pay! More than likely you will be able to restore your computer to a previous version. You may miss a few recently acquired files or programs but it is better than paying the ransom without knowing if the hacker will even restore your files.

Now, here’s what Atomic Data can do for you. The Atomic Mail Filter (AMF) will catch suspicious emails from unverified sources before they reach your company’s mailbox. AMF will send you daily quarantine digest emails that detail recent mail caught by the filters so that you can eliminate false positives and get all the mail you need. Atomic Data can also provide your business with monitoring, patch management and antivirus through Kaseya. Never miss a security update, keep your antivirus active and up-to-date and keep an eye on the performance of all your businesses devices.

In need of a backup solution for your business? Atomic Data has the solution for whatever your needs are. Backup your files with Atomic Data Crashplan. Automated off-site workstation backups will run whenever, wherever, and as frequently as you desire. Don’t get caught off guard. Atomic Data will help protect your data with customized business solutions.