When ransomware strikes - how a UK SME coped with a deadly strike on its data

13.05.2016
As a UK-based building consultancy discovered the hard way, being hit by ransomware is like staring down the barrel of a loaded gun during a quiet evening stroll.

One minute the company is a functioning business, the next it's being extorted by people it has never met, a threat it hasn't heard of and an alien crime it might have been only dimly aware even existed.

The firm later traced the fateful infection by a ransomware variant called DMA Locker back to an email attachment opened in Outlook at 21.46 on 6 March, a vulnerable moment because it happened to be a Sunday, a day when most of the firm's 30 employees were at home.

As with so many ransomware infections, the simple act of opening one attachment became a gateway to a world of trouble. The malware immediately started encrypting files on the first PC before successfully reaching out to a series of attached network drives. With nobody around accessing those shares, nothing untoward was noticed until the next day by which time 90 percent of the files the company rated as critical to its business had been scrambled using AES-256 - or at least that's what the malware claimed in the ransom message.

DMA Locker is nothing special by ransomware standards and early variants were even described as amateurish by security researchers when it first appeared in February 2016 due to major flaws in its encryption. It seems likely that the building consultancy was hit by a later patched version that presented a more serious challenge.

Most ransomware demands a modest ransom, usually between $500 and $1,000 in Bitcoins, but this one asked for £6,500 ($9,500), an unusually high price that strongly suggests that the attackers had carried out a targeted raid in which the ransom is calibrated to the likely effect on the victim.

Creepily, it is possible that ransoms are now being decided after the files have been encrypted and their number and value has been assessed.

When ransomware strikes - AV failure

The firm had firewalls - no defence whatsoever against this kind of malware - which meant its only line of defence was antivirus software running on each PC. This layer failed to notice the ransomware, not surprising given that the variant was new. This inability of antivirus to stop aggressive ransomware makes such attacks similar to zero days.

The firm had no security team which meant that reinstating the encrypted files from backup presented an onerous challenge. This is another common theme mong SMEs but even larger organisations with staff on hand find locating backups and installing them a headache that could take days or weeks.

It's all part of the extortionist's business model - the cost of reinstating encrypted files (assuming such backups exist for all lost files) - costs more than the ransom. An unknown but growing number simply pay up because it's the cheapest option.

Managed security provider and IT consultancy Alchemy Systems was called in by the victim, presumably by this point pretty desperate for some way out. Alchemy describes the clean-up as taking about a day with systems fully restored in a week.

With the current AV unable to detect let alone stop the ransomware in question, Alchemy installed Panda Security's Adaptive Defense 360, a cloud-based system along with "beefed-up" endpoint security and continuity systems in case of a repeat attack.

"As is often the case following the attack the building consultancy wanted to ensure that nothing like this happened again," comments Panda's marketing manager, Neil Martin.

"Traditional antivirus solutions based on signatures, heuristics and behavioural analysis are reactive and there is always a latency, we call the 'window of opportunity', between the malware being created and subsequently blocked.

The cybersecurity firm calculates that around a fifth of new malware goes undetected by antivirus in the first day of its existence, more than enough time to do serious damage.

He argues that the cloud-based design of Adaptive Defense 360 is better suited to stopping current malware than a simple endpoint client of the sort used by many home users and SMEs. Defence needs far more layers to have a chance.

Panda Security's Adaptive Defense 360 takes this further through continuous endpoint monitoring of all processes, gathering 1000's of features on each such as 'where did it come from, 'how did it execute', 'on which system'. All of these are used as part of the machine learning along with manual checks from Panda Labs Experts that identifies and blocks malware.

"We don't allow anything to run until we know exactly what it is."

The victim in this case was understandably unwilling to reveal itself. Many other victims aren't even written up at all. Some even suffer in silence, middle through or, sad to report, pay up.

It's a dark experience more and more UK SMEs and even large enterprises find themselves living though although smaller firms are in greater danger because they often lack the knowledge to cope.

When ransomware strikes - lessons

There are no simple or comforting 'what to dos' to draw from the incident. It was a typical ransomware attack on a UK SME that was poorly defended to resist this kind of predation. What is clear is that organisations of all sizes can't rely on cybersecurity based on single layers of defence that fail gracelessly. More layers are needed so that there is not one single and brittle weakness that can be bypassed.

Every firm needs to devise a plan as to how it will respond not simply to malware in general but extortion specific attacks such as DDoS, ransomware, web defacement, data breaches or a combination of all of the above. Having backups is a start but not on its own enough.

For small companies, the best place to start is to find an expert third-party consultancy, preferably one that can prove it has business experience of dealing with such attacks. This partner will also be able to advise on the vulnerability of the network, which is to say outline the sort of damage a typical attack could do and how quickly. Reconfiguration might be necessary.

Most of important of all, companies shouldn't wait for trouble to strike. Ransomware is not a new threat but it shows no sign of going away, far from it. It is evolving and the targeting is becoming better and better. Every and any company is at risk. Don't ignore it; give yourself a chance by understanding the enemy.

(www.computerworlduk.com)

By John E Dunn

Zur Startseite