Real-world Ransomware Experience
October is “Cybersecurity Month” and this year it’s getting a lot more attention because of the ransomware attacks that have been in the headlines. One theme of Cybersecurity Week is sharing real experiences. We decided to do that here with EO Advisor.
If your managed IT provider tells you that they have never had a problem with ransomware, they are either hiding something or they are too inexperienced to help you face your ransomware crisis when your time comes. As hard as it is for us to share this truth in a public forum, we think it is critical to emphasize that nobody is immune from ransomware attacks – not even the clients of Electronic Office. What’s important is how those attacks are responded to when they happen.
A handful of Electronic Office clients have been through the experience of a ransomware attack. So far, none have paid a ransom, but the experience is always gut-wrenching and hardens our resolve to ensure that none pay in the future.
EO Advisor first wrote about Ransomware in 2016. It was hard to get anybody too worked up about these threats back then, but we were already nervous.
A year later, we got quite the phone call from one of our clients—the Chief Financial Officer, actually—and he had his top IT executive on speaker with him. These guys were staring at a folder on the CFO’s computer filled with hundreds of important financial documents and, one at a time, they were watching them become encrypted and inaccessible. It was liking watching a car crash in slow motion… FYI, key executives at all our clients have our personal cell phone numbers so that they can reach us fast if they need to, and in this case, time was critical…
The response: we immediately (and remotely) “cut the cord” between our clients’ office servers and their backup storage services in the cloud. All their files were routinely backed up overnight so any changes to files made on this bad day were lost but everything else was isolated from the encryption event unfolding in front of our eyes.
Emotionally speaking, it was a rough day. However, the outcome was OK because we set up our client on a fresh, clean computer, and files were restored from backups within 24 hours instead of days or weeks.
It took some time to completely scrub every bit of company hardware, including printers, down to machine level code and then reinstall the software from scratch and then finally, claw back all of the files from the backup server. Thankfully we were able to completely ignore the ransomware attackers because we had a plan that did not require help to un-encrypt the files they stole from us. This type of total reset is in-depth, but the client was up and running while this process was completed.
Today, ransomware is much more sophisticated. The “ghost in your machine” is getting everything organized for days, weeks, or even months before most businesses would ever know they were inside. It eventually follows your own paths right up into the cloud where your backup storage is maintained. When the criminals decide to encrypt your files, it all now happens really fast.
Electronic Office has become more sophisticated too. Instead of that dreaded phone call from the CTO watching files become encrypted, our most prepared clients now have software running inside their servers constantly looking for unusual behavior. For example, ransomware tools are used to stealthily create a fake employee inside your software and then slowly start giving that “employee” password access to more and more of your most vital files. No employee working on their own is going to notice this happening but a well-trained security expert running the right software frequently can uncover new employee activity and quickly sort out the legit new employees from the bad actor.
The backup cloud solutions that we now employ for our clients can detect when files are being encrypted in a matter of seconds and make a machine-level decision to cut the cord with the client’s servers instantly. A human can decide why the machine cut the cord and re-open the connection if it was a false alarm but the machine is usually right.
The stories about attacks against our clients are intense and disconcerting. Obviously, we keep these stories secret but we can tell you that none of our clients have ever had to pay a ransom to get their files back – yet. We say “yet” because the attackers are talented and relentless. There is no rest in a world where the bad guys are now using cell phone texting to trick employees into making mistakes and thereby gaining the first little bit of access into a network through a mobile device.
Not paying ransomware does not mean any downtime or business disruptions. Clients who prepare well, conduct fire drill-style rehearsals, and invest wisely are back up and fully operational in 24 to 48 hours. Clients who are not so well prepared can be back up and running in one or two weeks—best case.
Clients who feel that they can afford to be down for a week never feel that way again after the first time it happens. It’s kind of like thinking that you are not too worried about your office building burning down because you can work remotely. Even though that thinking might be accurate, staring at a building turned to ashes is always going to be painful.
Please make cybersecurity a top priority for your company, regardless of who you work with to help you.