It was 2016 and bitcoin was hovering around $500. At Jasco Technology, we had just started servicing a new client we’ll call “Acme Co.”.
Acme had never used a professional IT management company before. For data protection, they were doing their own cloud backups and had never been in a situation where they needed to restore data from these backups. Acme had always assumed their cloud backups were working as expected. We offered our own backup services multiple times, but they declined.
Two months later, Acme’s backups would be put to the test.
One day the owner received an email from someone he did not know with a PDF purchase order attached. Besides the poor English, the email looked normal enough – they received purchase orders from customers and vendors all the time. He opened the PDF attachment but nothing displayed on his screen, so he tried a few more times with the same result. What he did not realize was that he had activated a ransomware program. It was now installed in Acme’s network and running an encryption program in the background, systematically locking them out of all their data. 30 minutes later, all of Acme’s files were locked and unusable.
Acme called the Jasco Technology Help Desk to report that every file they tried to open reported an error. This instantly let us know they had fallen victim to an email phishing scam (the fake purchase order) and were in the grips of a ransomware attack.
We immediately took action by determining that the attack vector was the email sent to the owner. The attachment he downloaded was not a PDF, but rather a ransomware application which he inadvertently installed. These are surprisingly easy to obtain – in fact, ransomware-as-a-service, or RaaS, can be purchased on the internet.
Our next actions were to isolate the affected computer to prevent any spread of the malware, and then restore Acme’s data from their backup. We opened their backup program with the help of the owner and we found…nothing. The backup program had no backup jobs scheduled, and not a single file had ever been backed up.
With restoring their data no longer an option, we moved onto the alternative: paying the ransom to recover the files. A friendly note from the hackers told us how to access their dark web payment portal, so Acme could transfer 3.5 bitcoins (about $1,900 US dollars at the time) to receive a key that would unlock all of Acme’s data.
In 2016, bitcoin was not the household name it is today and buying them was not a simple process. After some difficulty, we were able to buy the bitcoin through an online dark web message board. For those unfamiliar with the dark web, it is an unindexed layer of the internet originally created for secret communication between US intelligence agencies. It is accessible only with specialized web browsers, but these are readily available. Though it still has important legitimate uses, like protecting human rights workers and journalists from authoritarian censors, it has become the global black marketplace. Everything from weapons to narcotics to stolen data can be bought and sold on the dark web. And of course, pre-packaged malware like RaaS.
48 hours after the owner had opened the PDF we were ready to pay the hackers and get Acme’s files back. We followed the instructions the hackers had given us and accessed their dark web payment portal, entered the transaction number and transferred the 3.5 bitcoins to their Bitcoin wallet. We then received a message that said, “Thank you, we will be processing the transaction. The link to unlocked files be here shortly, check soon again”.
After some time we were given the promised key. We were able to recover all Acme’s files in about six hours. In total, they were locked out of their business data for three days.
Acme and Jasco Technology learned some critical lessons:
• Backing up a business’s data is ultra-critical and should be monitored daily. At Jasco Technology, we no longer allow our clients to manage and monitor their own backups – we use our backup system and monitoring.
• Acme is a run-of-the-mill small, local business. Cybercriminals choose these types of businesses, rather than larger enterprises with deeper pockets, specifically because they are confident they lack the cybersecurity planning to mitigate the attack, thus ensuring they are forced to pay the ransom.
• We always need to assume viruses, ransomware, and malware will occasionally get through even the best antivirus and email security services because of human error. Security Awareness Training is an essential security tool, as your employee is the final line of defense between your company’s data and hackers.
• Lastly, it’s important to remember that there are multiple costs associated with a cybersecurity event. While $1900 may not have been much on its own, Acme was out of business for three days. They also had to inform all of their clients and employees of this breach, losing trust and reputation in the process.
If you are unsure of your business data backup situation, feel free to contact us. We’re happy to answer any questions you may have. If you suspect you’ve already experienced some kind of malware attack or breach, consider our Dark Web Scan. It will quickly reveal if your passwords or other sensitive information have been compromised and are for sale on the dark web.
This is very much true and normally a “smaller business” will fall victim to a situation like this sadly. This just goes to show that valuing your IT infrastructure is as important as the data you hold within your company about customers, employees, and company data regardless how big or small the company is. This did not cost much to get the file encryption key to unlock the files but just think if this would of be a 6 figure ransom.
There’s a chance the company couldn’t pay it or even bounce back or even afford to keep their doors open if the ransom was too high on top of the impact of losing all their data. Glad it worked out for the company mentioned in the article above….Not all companies are as lucky and have to start over or lose their business due to the impact.
As IT support we need to help coach and educate our clients (or guide) what ever methods works best. Its why systems like backups and confirming they are properly installed and working is a big thing for any given company. Yes is harder to get the owner or any employee for that matter to not open up emails even if they look 100% legit. But it is easier to make sure the company has a solid backup solution in place and that it works and in this case actually backing up.