David was unable to participate in his regularly scheduled radio spot on WATD this morning because he was at the office of the client in the following article. This contains an important warning that needs to be heeded.
Recently, we received a call from a client whose network had been hijacked by CryptoWall 3.0 . This was the 4th or 5th client to fall prey to this evil menace so we thought we knew the drill… Shut down the computer that was the source of infection to minimize the damage and then, restore their files from their offsite backup.
This client had 2 MAJOR issues that made this a HUGE problem for them. First, the user who was the initial victim of the virus ignored the pop up that said that they had gotten CryptoWall and continued to work – for several days. This gave the malware the opportunity to infect all of their user folders and files including their server shares, One Drive and Dropbox accounts. They only called us when they were unable to work because their crucial data had been encrypted. With no reliable offsite backup to restore their data, they had 2 choices – PAY THE RANSOM or GO OUT OF BUSINESS!
This is where the story gets even more scary! The ransom was $500 in “bitcoins” which are internet currency. Bitcoins can transfer money instantly between any two parties anywhere in the world and without the need for any financial intermediary. So, who’s to say that the evil ransomers would even give them they decryption code after being paid? Who could they complain to, the “Evil Hackers Integrity Guild?”
Paying in Bitcoins was VERY TRICKY. After lots of research, David recommended a New York Bitcoin reseller over the countless Chinese and other off shore suppliers. David was actually able to call them and talk to someone. They had very specific instructions to help make sure that the transfer went through by 7:30pm on Wednesday.
· CASH had to be deposited in the Bank Of America account provided by the Bitcoin sellers – NO credit cards because a credit card transaction can be stopped.
· DO NOT tell the teller that the deposit is for Bitcoins because the bank will hold up the transfer
· The deposit was for almost $700 because there were two transaction / handling fees attached and, they had to guess the actual market value of the Bitcoins at time of transfer – if they were short based on the exchange rate, they would need to purchase additional bitcoins to complete the ransom payment.
At 7:30pm, the transaction was received and in process. It wasn’t actually accepted until sometime in the middle of the night. Both David and our client were on pins and needles until the acceptance and they received the de-encryption code. At 5:30 Thursday morning, David started decrypting files.
Once all the computer files are scrubbed, the infected first computer and the server will have to be formatted and reinstalled. Even though the files have been unencrypted there is no way to tell if the ransomware hackers included any special “extra’s” in the decryption file’s they sent.
The lesson for today’s story:
1: Protecting your business from this type of attack is more than simply having anti-virus software or a firewall installed. The weakest link in the security chain is the computer user who simply clicks on an e-mail attachment that they believe is legitimate. EVERY email attachment should be considered suspicious. Employee training and regular security reviews are critical for every business in today’s insecure internet environment. And, if anyone gets a pop-up window like the one above, STOP WORKING and TELL SOMEONE!
2: The ONLY way to insure you can survive this type of attack is to have a reliable offsite backup that is regularly tested and verified. Without this offsite component, you risk losing all of your critical business data in the blink of an eye. Consider for a moment that if the hackers system is taken offline by a law enforcement organization (which is exactly what happened with the first 2 Crypto variants) even if you paid the ransom there would be no way for the hackers system to generate the code necessary to decrypt your precious data.
Also – we NEVER recommend paying a hacker for this type of problem as it simply proves that they can make money this way so the ransomware problem continues and escalates. Unfortunately, in a case like this one with no offsite backups – they had no choice but to take their chances, pay the money and hope for the decryption code.