WannaCry, NotPetya, Bad Rabbit and CryptoMix Ransomware attacks increase this week
What a way to start the week. The very first call we received on Monday morning was ‘help all our company files are encrypted’! No problem, we have various methods of recovering from Malware including previous versions, image backups and daily disk backups to restore from so this should be a piece of cake.
After about 5 minutes it was very clear that this was no ordinary Ransom-ware attack. This attack had encrypted the antivirus/anti-malware software, uninstalled the backup software, encrypted all data files as well as program files and then, finally, encrypted the backup disks too!
This particular client was still running a single server. Of course that means a single point of failure and therefore some serious downtime while we restored the entire network.
The only solution left to us was to wipe their one and only server and factory reset it to brand new configuration. We then had to recreate the network settings, find and install the backup software and then restore the data from the backup disks. Of course, Fridays had become encrypted so the only option available to us was to use Thursdays backup disk. That’s a days work encrypted!
Once the data was restored we then had to reconnect all the workstations back to the rebuilt server and reconfigure email and settings.
Total down time for the client?
2.5 working days.
So what was different about this Ransom-ware? Unusually, this ransom-ware encrypted all files, programs and even uninstalled antivirus protection. This is a huge step up from previous Ransom-ware attacks.
In addition, it is widely reported that people who did pay the ransomed $1,200 dollars in bitcoins digital, untraceable currency, still didn’t receive decryption codes after several days and repeated attempts.
How did it attack the network?
It’s very difficult to be sure as the original server was so badly encrypted it was impossible to read any logs. Coupled with the fact this was the only server in the network meant that our priority was in getting the system operational instead of investigating root cause. Others on the internet say that it was likely spread via email such as a Parcel Delivery email and then ran silently in the background posing as an Adobe Flash update. All this time it was quietly encrypting files in the background.
Could it have been prevented?
Ransom-ware is very fast evolving. Scammers and criminals worldwide are latching on to this as the new easy cash-cow. For that reason many anti-malware / anti-virus packages are struggling to keep up with advancements in Ransom-ware. Unfortunately, I think, ransom-ware will continue to increase in it’s ferociousness until victims stop paying the ransoms.
The only way to prevent this sort of attack is to never click links in emails or websites unless you are absolutely certain of its source.
NEVER OPEN UNEXPECTED ATTACHMENTS
Can recovery be any faster?
Yes, three ways…
- Businesses that rely on a single server should seriously consider having multiple servers.
- Backup technologies have changed, switch to our next generation Hybrid Backup Solution for much faster recovery.
- Utilise Virtualised servers wherever possible (this depends on use case and technical requirements).
In summary, Ransom attacks have reached a whole new level. Protection relies solely on your diligence and not clicking unexpected links in emails or the internet. Backups have changed too, has yours or are you still using outdated backup technologies.
If you have any concerns about your network, server or policies please give us a call today and we will be happy to discuss your current configuration and ways of adding improved protection.