Present Blog-IT thought leadership in Canada

The day we were hit by ransomware

Written by Anthony Taille_ | Dec 3, 2020 12:45:00 PM

Just prior to the hostage taking

The holidays were fast approaching. Alex, who had mainly worked from home since the start of the pandemic, decided to take a bit of time during his lunch hour to shop online for toys for his children. Alex used his personal computer with a remote connection to access his office workstation. He liked the flexibility and the practicality of this way of working.

Alex was browsing from link to link to find the perfect Christmas gifts. He clicked on advertising links and found a site offering bigger discounts than anywhere else and decided to order using his work email. The site was slow, and the pages reloaded several times by themselves for no reason, so finally Alex gave up.

A few hours later, Alex receives a message in his Outlook mailbox. The message appears to come from his company and asks him to change his Active Directory password. Alex is used to this type of procedure. He clicks on the link included in the email and changes his password. He then wraps up his work and ends his working day.

 

The Hostage Taking

 

The next day, Alex is back at the office. He greets his colleagues that he rarely see, and exchanges briefly with them.

Then he makes himself a coffee, and he sits down in front of his computer, which has been on for several months, and opens the usual applications.

This morning Alex is unable to access his emails and his credentials do not seem to be working. He therefore decides to access his SAP B1 database, but no information appears here either. Alex asks a colleague in the accounting department if she has access to her documents, but his colleague has not been successful either. Soon a small group of people find themselves in the halls of the office wondering about the situation. Alex has a client meeting in less than an hour and needs some important documents for his presentation.

Fortunately, Alex took the time to save his most sensitive information in the cloud. He therefore connects to the application which allows him to store his data online, but again, he is faced with a blank screen. Alex is stuck. What about the thirty-page report that took him so long to sift through last week? What about his customer file folder with all the confidential information about their purchasing habits? How can he work without his conversation history?

The company's administration department, which has just hired three new employees, needs to make calls to the bank to make sure their pays are manually deposited, as the application they normally use is not functional.

Sales move meetings and put orders on hold, without being able to follow up with customers.

JP is a system administrator in the company where Alex works. This morning, JP is in a panic. The first user who told him that he couldn't access his files called him about an hour ago. JP initially believed it was human error, but then other users contacted him. And others. And many more.

JP takes a tour of his environment, virtual and physical. He checks the firewall, the anti-malware, the antivirus status as well as the individual status of each user workstation. He knows that some of his passwords are the same because the former system administrator was having difficulty remembering them. He knows that two-factor authentication is disabled on most of the company's applications because some senior users found the feature too inconvenient. He's even heard of some users receiving phone calls from people claiming to need access to the corporate network to apply system updates - a relatively common social engineering maneuver.

JP does manual searches in the various databases of the company. Error messages immediately pop up on his screen. "Unknown file type." "Windows cannot open this file." He's trying on his personal MacBook. "There is no application set to open this document." He tries to access his weekly backups. Nothing. He tries to access his monthly backups. Nothing.

Then, just before what would normally have been the time of his coffee break, JP discovers several processes that he does not recognize in his activity monitor. Among them, an application named Mimikatz.

 

The ransom demand

 

Almost at the same time, a window opens on his screen and a text appears.

"Your files are encrypted. If you wish to restore them, write to us at the email address below to pay your ransom. Do not attempt to rename your files. Do not attempt to decrypt your data using any third party software - this could cause permanent loss of your information. If you attempt to decrypt your data yourself, the ransom will increase. "

 

JP feels a lump in his stomach. He knows that reports of ransomware attacks increased by 715% in only the first half of 2020. He has also heard of several attacks that have occurred very close to him where the impacts could have been much worse.

 

JP knows that once a network is infected, the victim of ransomware is most of the time forced to pay the fees requested to regain access to their data.

 

Robert is the president of the company for which Alex and JP work. He recently read that the costs of ransomware attacks would reach $20 billion USD in 2021. But Robert's company is relatively small with only about 40 employees and subcontractors in total, and he believed he was immune to this type of situation.

The most important thing for him today is to protect his life's work, his customers, his employees, and the company he has spent nearly thirty years growing.

 

Robert listens to JP explain to him that the risk of losing everything is very real.

- The attack probably started months ago.

- Perhaps the hackers entered a user's computer using the dial-up connection.

- Maybe they sent a phishing link.

- Perhaps an angry ex-employee sold his old access codes to malicious people.

- Perhaps a hacker has contacted someone within the company pretending to be a service provider in order to gain valuable access.

 

The causes can be numerous and the effects catastrophic.

Robert, like others, saw the message appear on his screens. The ransom demanded is almost $150,000 CAD. After the drop in revenue due to COVID19, Robert is aware of the burden such an amount represents on his business. He decides to inform the federal authorities, who tell him that the group of hackers who hold his data hostage hit two other SMEs during the past two weeks. The other two victims had no choice but to pay the ransom. They too had lost everything, including their backup copies.

 

The search for solutions

Robert decides to immediately call an IT company he was recommended and that he remembers reading a blog titled: Say Goodbye to Ransomware and Ransom Payments.

 

To be continued in the next episode...