NetConnect Blog - Your Resource For IT Tips, Tricks and News

Ransomware: A Tale of Three Companies

Posted by Michelle Killian, FRSecure Security Analyst on Apr 14, 2016 10:09:00 AM

Ransomware: A Tale of Three Companies

Our partner, FRSecure has been busy of late responding to calls regarding ransomware. They've seen a few success cases but not enough, so Michelle Killian, FRSecure Security Analyst, thought it would be useful to review three of the common scenarios they are encountering, what the outcome has typically been and what you can do to prepare and protect yourself from this nasty attack.

But First, What Is Ransomware?

“Ransomware?” you say. “What’s that?” Well, if you are lucky enough to not have been either directly or indirectly affected by ransomware, we'll give you a brief rundown:

Ransomware is a type of malware (malicious software) that attempts to block access to assets belonging to a victim (i.e. your files) and only unblock in exchange for a ransom payment.

The variant of ransomware running rampant today infects your device and encrypts (or locks) all the files you have access to, making them completely unusable to you unless you get the key to decrypt (or unlock) the files. The malware searches for and encrypts all applicable file types (including Word and Excel documents and PDFs) both on your device and on any shares you are mapped to, meaning the more access your device has, the more damage the malware can do.

While there are many ways your system can be infected, ransomware is typically delivered through an email phishing attack or website drive-by-download attack.

Attack Overview

Attack Overview

Download Overview

Download Overview

In order to decrypt the files, you have to get the key from the attacker who distributed the malware, which costs money, typically in the form of bitcoins. Up until recently, the attackers were demanding basically the same amount of ransom regardless of who they infected – typically between $500-1000, but they’ve now discovered that some targets are willing to pay much more and have started demanding ransom payments more proportional to the information they are holding hostage.

What FRSecure is Seeing

Michelle Killian lumped the companies FRSecure is hearing from, both in the field and from incident response calls,  into three broad categories. Read along and see which group your organization most closely aligns with and take away some action items to better prepare yourself!

Company 1: The Not-So-Lucky One

Company 1 calls shortly after getting that gut-wrenching pop-up notifying them that they’ve been ransomed, unsure of what to do or where to start. They haven’t really been good about consistently backing up their data so they don’t have a viable backup to restore from.

CryptoLocker     Photo:

CryptoLocker Photo:

These are usually painfully quick and unsatisfying conversations. While FRSecure always recommends doing some research on the particular malware strain to see if a key has been obtained and shared, odds are, if you don’t have a backup of your data, your only real option to get your data back is to pay up. For Company 1, this is exactly the outcome and after learning the ins and outs of Bitcoin, they are back up and running, less $500, and working diligently on formalizing their backup strategy.

FRSecure Does Not Support Paying The Ransom

For the record, FRSecure does not encourage paying the ransom as the best solution to this problem. Paying only encourages this type of activity to continue to grow and makes you a bigger target for future attacks. Additionally, FRSecure has seen many instances where the decryption process hasn’t gone smoothly and not all files are recovered. However, if there is no other way to get the information that’s been ransomed and it’s necessary for operations then sometimes this is the only solution.

Company 2: The Oh-So-Close-But-Not-Quite One

Company 2 got the same pop-up notification with ransom-payment instructions, but threw high-fives all around because they’ve got good backups and regularly test them, so they knew that this was but a blip in the road. They restored the systems they determined to be impacted by the malware from backup and resumed operations as normal.

Until they got a call from a user freaking out because their data was no longer usable. Turns out there was a small subset of the organization that was supposed to be segmented off (but wasn’t) and for all intents and purposes was thought to be no longer in use (but was) so the share wasn’t being backed up regularly. And the data stored on this share was pretty important.

So, while Company 2 was able to successfully restore most of their files from backup, because they didn’t have an updated inventory of their data resources, they still ended up paying a ransom to get the files from the not-so-segmented share back. And now they are focused on a top-to-bottom user access review and data mapping exercise to make sure they know where all their data lives and who has (and who should have) access to it.

Company 3: The Ready-For-Your-Stupid-Virus One

Company 3 called in advance of getting the ubiquitous pop-up. They noticed some files they were working on were changing and becoming inaccessible and suspected they might be in process of being infected by  ransomware. With a little digging we were able to confirm their suspicions and set about containing the malware.

The one nice thing about ransomware is that it’s pretty easy to determine where the attack started because the device where the infection initiated will be the device that provides the notification and instructions on how to pay up. But, on the flip side, once the pop-up shows up, it’s too late to contain the malware. So, you have to do some work while it’s in process of spreading to find the source and contain in.

For Company 3 there was some suspicion around a particular attachment and a particular user (based on internal conversations and where the file changes were taking place) so it was relatively easy to pinpoint the source. With that knowledge, we were able to isolate the system (disconnect it from the network and internet) and work on replacing the infected files.

Company 3 not only had replication of data to the cloud but also maintained regular offsite backups. The data being replicated in the cloud had already uploaded the encrypted versions of the files so we had to pinpoint when the ransomware was downloaded so we could revert back to the clean files, but after about four hours, Company 3 was back up and running with no ransom paid. Even so, Company 3 is not resting on their laurels, they used this close call to conduct additional user training on the perils of email and phishing attacks.

How To Protect Your Company (and Yourself)

One thing Killian would like to point out when talking about ransomware is that this virus does not discriminate. It will hit you at home and take your $500 just as readily as it will at the office. So her advice is advice that can be implemented in both environments and should be strongly considered if you place any value on the information residing on whatever device you use (PC, Mac, smartphone, tablet… all devices are fair game for this bugger).

What You Can Do:

  • Inventory your data: This is Information Security 101, but we aren’t generally that great about it. Do you know where all of your information is stored? Map out all of your data repositories and then audit regularly to make sure it’s still appropriate.
  • Back it up: This is your #1 defense against ransomware. Determine how long is acceptable for you to be out of commission (1 hour, 1 day, 1 week?) and build out an appropriate backup strategy that ensures you can meet that acceptable level. Consider multiple types of backups in the event one gets compromised and regularly test the effectiveness of the backups. Side note: many versions of the ransomware either destroy your shadow copy or encrypt it before notifying you that you’ve been ransomed so do not let your shadow copy be your only backup solution.
  • Implement need-to-know access: Do you know, with certainty, who has access to what information? Or do you take a “everyone needs access to everything” approach? Play out a few table top exercises with ransomware and you may be re-thinking that approach. Use user access to data as a strategy to protect you from attacks to limit the exposure to information impacted from any one user. And like data inventory, review this access periodically and audit users to ensure nothing is changing.
  • Continue to train users: Make sure your user base knows what the current risks are to them so they are better able to protect both themselves and  your organization. Train them on the signs of ransomware so they can report it before the pop-up does, which can help mitigate the damage done. Remember that your users are computing at home so they have a vested interested in being a bit more technical – teach them about disconnecting from the internet, unplugging from the network, and the importance of controlling access to information.
  • Strengthen technical controls: there are some pretty easy solutions that you can implement that can help protect you from installing ransomware, including:
    • Block EXE file attachments so users cannot directly run executable files from emails.
    • Disable macros in Office applications, where malicious code is often embedded.
    • Implement web filtering for malicious sites to block known security risks sites.
    • Remove local admin rights so users are forced to enter in a privileged username and password to run new software.
    • Develop and implement a patch and vulnerability management program; many variants use vulnerabilities in applications to infiltrate your system.
    • Implement group policies and other restrictions on common payload entry points, such as the %AppData% folder.
  • Check online for solutions: If you don’t have a good backup to restore from, before you give in and pay the ransom, do some research to see if a key has been uncovered. Great sources to consider include Malwarebytes, Kaspersky Ransomware Decryptor  and BleepingComputer. Do not remove the malware until you are sure all of your files have been successfully recovered.

There’s no doubt about it, ransomware stinks. But it is a good reminder of how a strong information security program can protect you and how sticking to the basics (asset management, access control, backup management, user training) will continue to pay off.

Blog post provided by: 

* Killian, Michelle. N.p., 7 Mar. 2016. Web.12 Apr. 2016. <>.

Are you interested in improving your processes to reach your security goals? Reach out to the team at Network Center, Inc. for more information on how utilitzing FRSecure can positively impact your company. 


Topics: Network Security, Security, Ransomware

Dear Ransomware...

Posted by Sean Todd on Apr 8, 2016 1:00:00 PM

Dear Ransomware – let’s get familiar

First, let’s define what ransomware is. Basically, it’s a piece of malware that is able to infect a device that will prevent an end user from either accessing the device itself, or the data on the device. Typically, the person responsible for creating the ransomware will require the user to pay a fee in order to regain access to the infected files or system. Even when you think you’ve got your environment configured with the right layers of software designed to prevent an infiltration of potentially destructive ransomware, there’s still a good chance you may become a victim.

lock_image.jpgSounds like a pain right? Well, it could get much more serious than that pretty quickly. Let’s assume that device is on your corporate network. Let’s also assume that the user of that device has access to files on the network. See where this is going? It now has the potential to affect files across the network. All that business critical data is now that the mercy of a cyber-criminal demanding a ransom payment before giving you back your access, if at all. You don’t just lose access to the files, you have the potential to lose productivity, legal fees, IT services, customer service, etc. it adds up quickly.

So what exactly does this ransomware do? The most common side effect is file encryption. Encryption that is at this point is pretty much impossible to crack. It has the ability to encrypt not only data on your local device, but also data across the network that the user has access to. Without a good backup or paying the ransom, you can say good-bye to your data. Even a backup will only get you back to the point in time where it was last successfully run. That means if you’re backup ran last night, and the ransomware hit today at 4pm, you’ve pretty much lost an entire day of work for not only a single individual, but potentially an entire company.

But I have antivirus, that’s enough right? I hate to be the bearer of bad news, but antivirus software alone simply isn’t enough anymore. You need a layered approach to your preventative arsenal.ransomware2.jpg

  1. Education – Educate yourself and end users on how to detect these threats. Limit the amount of casual internet browsing and if an email seems fishy, there’s a good chance it is. Remember, ransomware can infect you in multiple ways.
  2. Email Filtering – Use a spam service to filter email before it gets to your mail server and inbox. Even users of a hosted email platforms should consider using 3rd party email filtering as an added layer of security.
  3. Web Filtering – Ransomware doesn’t just come from email. It can come from very popular legitimate websites as well. Utilizing some type of web filtering could help prevent access to infected websites or syndicated ads carrying malicious code.
  4. Antivirus – Use reputable antivirus. This is usually the last point in the preventative stage. Having up to date antivirus could be your saving grace, although there are never any guarantees. Even older versions of antivirus with up to date virus definitions could make you vulnerable. Much like the cyber criminals who are continuously trying to evade the various levels of protection, antivirus vendors are constantly evaluating and improving their software in order to combat the latest threats.

It's unfortunate that there are new stories daily of companies large and small being targeted by these malicious campaigns. There’s no doubt it will only get worse before it gets better as these threats are constantly evolving. They tend to get more destructive with each iteration and some aren’t even offering the option to decrypt anymore. Your best defense is a multi-layered approach. The more layers, the less chance of becoming the latest victim. Bottom line, it needs to be taken seriously.

Topics: Email Security, Network Security, Security, Ransomware

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all