Developers Conference

Ransomware or: How I Learned to Identify Malware and Restore From Backups

October 04, 2019 Scott Evangelist

“Atomic Data Service Desk, this is Anders. How can I help you?”

“This is [redacted] from [redacted]. I think we have a virus on our network. Can you look into it?”

The customer on the line was frantic, hurried. She informed me that files on several of their shared drives were quickly being converted into unreadable, unrecognizable file types in the guise of media files.

I remote connected to the server in question. I asked if she had any guesses as to where the apparent attack originated. She stated that only three employees had access to all the effected drives. She gave me the names of the employees.

The first drive I investigated seemed wholly unaffected. No encrypted files, no note. I moved on to the next drive. Files were encrypted throughout and there, at the bottom of the list of folders and files, was a text document “XxInstructionsxX.” I opened the file to make sure it was what we were looking for. It was a ransom note. It detailed who and how to pay in order to decrypt the files that had been compromised.

“Found it,” I told the customer. “It’s on [redacted]’s machine. You need to pull that machine off the network, pull the power as well.”

I heard her run—necklace clanging and bouncing, breath heavy as she kept the phone to her ear. She arrived at the office of the employee whose computer had been compromised. While she was on the move I alerted my Service Desk Level 2 Technician, who then grabbed the attention of an On-Site Engineer.

I heard her knock and open the office door simultaneously. I heard her mumble what was happening between breaths. Then “click,” the Ethernet cord was out of the workstation, “thud,” she pulled the power as well.

I logged out of the server to give way to the Engineer. He had already connected to assess the damage. Thankfully, the customer was quick to realize something was wrong and called the Service Desk and utilized some best practices like security groups within their Active Directory to limit the amount of access the employee’s computer had to the network. I informed the customer that an Engineer would be in touch with her shortly. She said “goodbye” and I said “good luck.”

The customer I talked to was informed on security best practices, but her employee was not. She had an itchy trigger finger—too willing to click on a link in an email sent from an unknown email address. One wrong click and the company, not just one user, lost nearly three drives worth of data. Luckily, we were there to help and recover most of the information from a recent backup.

In my time on the Service Desk I saw a few Ransomware attacks in progress and heard about many others. Ransomware, a form of malware that encrypts files or locks up a computer and demands payment in order to restore the files or unlock the computer, is wildly prevalent and attacks are on the rise.

Attacks commonly come from email links or attachments. From there, the malicious program will spread through local drives, external drives, and any shared drives a computer has access to over a network. According to PBS, ransomware hackings in 2015 bilked over $24 million out of companies and private users alike. And, based on the first few months of 2016, the FBI predicts incidents of malicious Ransomware attacks will be even more rampant this year. Attacks are also becoming more sophisticated. In the past, attacks have been generic emails that find their way to an inbox that include a link to a possibly legitimate looking URL that, when clicked on, will lead to a webpage that will download Ransomware to their system. With a proper mail filter, a lot of these emails won’t even reach the inbox. So, cyber criminals stepped up their game with spear phishing—emails that target specific individuals rather than business or distribution group email addresses. Now, the FBI says, “They [cyber criminals] do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”

The latest targets of choice? Small businesses, hospitals and clinics. Many small businesses don’t have the proper technical support they need to defend against such attacks. And the switch to Electronic Health Records has created a juicy bullseye on establishments that have time sensitive needs related to client’s files. Thus, these businesses often decide to pay the ransom rather than risk being without the files for an extended period of time while their computers are restored from backups, or worse—they don’t have backups and need to decrypt their files in order to function.

Now here’s what Atomic Data can do for you. The Atomic Mail Filter (AMF) will catch suspicious emails from unverified sources before they reach your company’s mailbox. AMF will send you daily quarantine digest emails that detail recent mail caught by the filters so that you can eliminate false positives and get all the mail you need. Atomic Data can also provide your business with monitoring, patch management and antivirus through Kaseya. You’ll never miss a security update, keep your antivirus active and up-to-date and keep an eye on the performance of all your businesses devices.

In need of a backup solution for your business? Backup your files with Atomic Data Crashplan and Atomic Data Black Box. Automated off-site workstation backups with Crashplan will run whenever, wherever, and as frequently as you desire. The Atomic Data Black Box will keep your Windows Servers backed up, and Atomic Data gives you the option to have a virtual server on standby in order to spin up a clone of a production server in case of disaster. Don’t get caught off guard. Ransomware is more widespread than ever and Atomic Data will help protect your data with customized business solutions.