This horse wouldn’t drink

As we look forward to what 2019 has in store, we wanted to recount a situation from 2018 in which we successfully helped a Middle Tennessee business recover from ransomware yet failed to make them see the strategic benefits of managed IT services.

According to the 2018 SonicWALL Cyber Threat Report, there were 181.5 million ransomware attacks in the first six months of 2018. This marks a 229% increase over this same time frame in 2017. While we don’t have reports on the 2nd half of 2018 as of yet, it is clear the frequency of security incidents hasn’t slowed down.

“Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. More advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.” – Wikipedia

On September 6th, 2018 the owner of a small business located in Gallatin Tennessee (suburb of Nashville) reached out to KTG to request help with recovering from a ransomware incident. The business was at a standstill and was desperate to recover and get back to serving their customers and partners. The business owner actually ran three separate businesses from their office and their most critical information was now encrypted. The primary business operated by this group is in the manufacturing supply chain for the medical and automotive industries as well as for the military.

As we began our initial investigation the owners told us the data they were most concerned about recovering was their general ledger data. We discovered the ransomware had infected at least one workstation and had spread to their one and only server (running an outdated operating system). Within an hour or so we were relatively certain of the exact malware variant and confirmed there was no publicly available decryption key. Without a backup of their general ledger, the company was faced with the potential of paying the bad actors for a recovery key.

The owners followed the instructions left in a text file on the network to make contact with the bad actors. They made contact via email using a new Gmail address they setup specifically for this incident. The ransom amount they initial requested was the equivalent of $16K USD in Bitcoin. Through a series email exchanges between the owners and the bad actor crew, the owners managed to negotiate down to approximately $500 USD. At this point, the company asked if we think they should pay. We advised them of the risks associated with paying and the high likelihood of still not being able to decrypt their files even after payment. Knowing this was their only hope of recovering their general ledger system, which holds their inventory, purchase orders, invoices, bills and receipts, they decided to pay.

Unfortunately, they didn’t have the ability to quickly pay the ransom with Bitcoin. “Bitcoin is a cryptocurrency, a form of electronic cash. It is a decentralized digital currency without a central bank or single administrator that can be sent from user-to-user on the peer-to-peer bitcoin network without the need for intermediaries. Transactions are verified by network nodes through cryptography and recorded in a public distributed ledger called a blockchain.” – Wikipedia. Setting up a new Bitcoin account can take 72 hours or more and this business couldn’t afford to wait that long. Fortunately, KTG had access to a Coinbase account with enough of a balance to pay the ransom. On behalf of the victim company, we sent the Bitcoin payment to the digital wallet address provided by the bad actors and held our breath.

In less than 24 hours they received the decryption key and attempted to recover their files. For whatever reason the decryption key did not function as expected and they were unable to gain access to their files. In a bit of a panic, they contacted the bad actors again to explain the difficulty, hoping they may not have all the information necessary. To our disbelief, these bad guys had a very responsive service desk and were more than happy to troubleshoot the decryption difficulty. In short order, the bad guy service desk technician was able to resolve their issue and the business was able to open their general ledger again! The 96+ hour nightmare was over, and the businesses were able to resume operations. These owners got lucky.

As they were resuming operations, we continued the dialogue with the business owners to propose proactive managed IT services. Based on our phone conversations, the owner was quite enthusiastic about seeing our proposal for services. We delivered our proposal which included our service desk service, system monitoring and management, firewall management, network switch and wireless network management, security training and security awareness, custom Office 365 deployment, email security gateway, and a data backup and disaster recovery solution. Their enthusiasm cooled off after receiving the proposal and seeing the associated cost. We connected a few more times after the initial proposal was sent in an effort to narrow the scope of services to better fit within the budget they had in mind, but ultimately, they did not end up becoming a client. We can only assume they went with a cheaper technology provider or are continuing the DIY method of technology management. This might sound like a win for business owners, but this course of action most likely means they are setting themselves up for another breach and business disruption in the future. This company had no firewall or Intrusion Prevention System, has end-of-life operating systems deployed, no security awareness training, utilizes a vanilla Google Apps deployment, and clearly doesn’t budget properly for technology.

Our lesson learned, or should we say reinforced, for 2018 is you can lead a horse to water, but you can’t make it drink.

The set of solutions we put together for small and midsize businesses are designed specifically with enough layers of security to hopefully prevent our clients from having to go through a scenario like this one. For the new clients that made the choice to take proactive action to protect their businesses in 2018, we applaud you and look forward to providing you with this strategic advantage for years to come. Yes, having the right kind of technology and security management is a strategic advantage. If your business has to stop operations to deal with a week-long ransomware recovery, think about what that means to the bottom line. On the flip side, with the right solutions and partners in place, it is unlikely your business would be forced to deal with that reality.

In 2019, make sure you and/or your technology partner are spending the time to protect your business in these key technology areas:

  • Disaster Recovery
  • Operating System and Application Patch Management
  • Administrative Rights Management
  • Layered Email Security
  • Asset Lifecycle Management

Reach out to our team if you are ready to take action and implement a technology and cybersecurity strategy for your business.