May 2018 © Xenium IT Corp

xenium.ca

70% of business targeted are successfully infected by Ransomware and many never got their data back. One company did get their

data back, but at great cost.

RansomwareAn Anatomy of an AttackA CASE STUDY

2

A bit of paranoia is understandable in today’s world of rampant viruses, malware, phishing expeditions, and other cybercrimes: research says that the cost of cybercrime will reach an estimated $2.1 trillion by 2019.

Ransomware accounts for billions of that loss. In addition to the ransom payment, there is lost revenue, legal and regulatory damages, downtime, and data loss.

Ransomware risks the viability of the business itself

Organizations in every industry are potential targets – from large manufacturers to small accounting firms to municipalities. The pirates carrying out these operations are smart; they tend to target higher-level executives who likely have the right kind of access to the network, rather than lower-level employees who might not. As many as 75 percent of those targeted get infected.

For one mid-size manufacturing business (that prefers to remain nameless), it was an email to an executive that set off a nightmare chain of events.

The email appeared to come from a customer – one the executive was familiar with – and it had an unsolicited attachment. The recipient was leery of opening it, and “confirmed” via email that the sender did indeed send the message. Fortunately, nothing out of the ordinary seemed to happen.

A short time later, however, the customer tells the executive he didn’t send that email. The exec asked the IT team to scan the system for viruses and malware, but nothing obvious was found.

Two weeks later, it hits. The company received notice that all its active data and offsite backups were encrypted by hackers who demanded payment to recover business-critical information.

One Single Email. Immeasurable Damages.

Ransomware – An Anatomy of An Attack

3

What happens after you pay?The company decided to pay the ransom of 10 bitcoins, at the time the equivalent of around $50,000. Cryptocurrency is preferred by ransomware perpetrators because it’s untraceable, and once payment is made, payments can’t be revoked. It can be “spent” throughout international marketplaces and can be quickly split apart and traded away, making it nearly impossible for authorities to intervene.

Because bitcoins are still a bit hard to come by, the company turned to Xenium, a premium IT provider, to obtain the cryptocurrency, satisfy the ransom request, and recover the data. There was a delay in acquiring the currency, so, the pirates increased the ransom by 50%. It was now $75,000 in bitcoins to recover their data!

“The pirates were very savvy,” said Frank Kuschmierz, CEO of Xenium. “The first step was to show that they had the data. They said, ‘Here’s one server, here’s one password for it so you can unencrypt it and read it again.’ After knowing that they had the information, 10 bitcoins were paid and the pirates released five more servers. Because it took two days to get everything arranged, and to get the bitcoins, the pirates literally said, ‘OK, we want 5 more bitcoins.’ Each time along the way, they released a little bit more server information, but they knew exactly which information was valuable. They only released the most valuable data when all the ransom was paid.”

Even after recovering all of the hijacked servers, the nightmare continued. The pirates inserted some malicious code that caused the restored servers to crash, so recovery took three times longer than expected. Kuschmierz said that it is common for pirates to come in and hit again if companies are not quick enough to put in preventative measures.

“We’ve heard of cases where the pirates allow companies to recover and then hit them again and say, ‘Hey, we want more money,’” said Kuschmierz. “That’s very common. That’s a very big risk.”

The company estimates this week of downtime resulted in a million dollars in lost revenues on top of all the other costs.

Ransomware – An Anatomy of An Attack

Never Lose Data. Never Pay a Ransom.This company was among the lucky ones. An estimated 20 percent of companies that pay ransoms still fail to recover their data. Law enforcement is not able to help much with ransomware attacks originating from outside their jurisdiction, oftentimes from international locations. Normal business insurance also typically does not cover incidents such as ransomware – that requires specialized, and expensive, cybercrime insurance.

Kuschmierz says that fortunately, effective cyberattack protection is much the same as everyday data protection processes already in place at most organizations: protect data offsite, educate users, use firewalls to secure points of entry.

“It’s a similar scenario to a house,” said Kuschmierz. “To protect from thieves a homeowner will lock the doors, close all the windows, protect all the valuables on the inside, and put money in a safe. Similarly, this is what IT service providers do for your business—provide network and data protection.”

Kuschmierz recommends organizations implement a data protection and data availability solution like Xenium XeProtect to eliminate the risk of ransomware, data loss, and downtime. XeProtect combines an onsite hardware appliance, ioFABRIC software, and managed services to keep a copy of data on-premises and a copy in the cloud. ioFABRIC’s immutable snapshots allow recovery from any point-in-time, on-premise or in the cloud, with no data loss. XeProtect ensures data is backed up and recoverable, secure from malicious attacks, and encrypted to meet security and compliance requirements. With XeProtect, data is always safe, always available, and ransoms don’t need to be paid.

4 Ransomware – An Anatomy of An Attack

After helping the infected company recover from its attack and ensure future protection, Kuschmierz warned Xenium’s customer base to be aware of the possibility of similar incidents. Xenium also did a presentation on ransomware with ioFABRIC and a local police department to encourage businesses to protect their data. The police Chief said that ransomware is becoming a bigger problem than drugs, and there’s not much they can do about it.

“Nobody wants to come out and say, ‘We were the ones who got hit,’ so it becomes a big secret even though there are more and more cases of it occurring on a daily basis,” said Kuschmierz. “That’s why it is so important that companies take the initiative to protect their data themselves, before getting hit with ransomware and not being able to recover.”

5

RANSOMWAREThe elephant in the room that’s only getting bigger

Ransomware – An Anatomy of An Attack