Boost IT

Managed IT Services, Cybersecurity, & Cloud

cybersecurity

Atlanta Real Estate Firm Gets Ransomware

by

A Story about Ransomware Detection and Prevention for an Atlanta Real Estate Firm

This is the story of how cyber criminals in China attempted to take down and extort for ransom an Atlanta Real Estate Firm, how the Boost IT team reacted, and what we can learn from it — ransomware prevention in 2020.

How the ransomware hit

It was Monday, January 7th; the first full week after the holidays. The day began like any other Monday — we gathered over coffee, discussed the the fun things we did over our weekends, and had our weekly team meeting to review our client environments. A ticket had come in over the weekend that there was some unusual activity on a client’s servers, and that there was a jump in hard drive activity.

Next was a series of frantic incoming phone calls followed by shock as the gravity of the situation sank in. The day I had been dreading since I founded the company in 2000 was finally here — a client that had repeatedly refused our security recommendations had a full-fledged ransomware attack underway.

Can ransomware be prevented?

In the best cases, our managed security services, when used together, will drastically reduce chances of infection. In fact, our clients that use our full suite of security services have never gotten ransomware. In the worst cases, the the bad guys succeed, data is lost, and ransoms are paid out. Fortunately for us, we were well prepared because our client used our rock-solid, cloud-based disaster recovery system so data loss was minimized.

How we reacted

Shut it down

The first thing we did once we confirmed the attack was have everyone power off their workstations. Once ransomware compromises one machine it immediately spreads to the rest of the network. And even with backups in place, recovery takes time. Restoring a single machine can take 1-2 hours and when handling dozens of machines that can easily turn from hours into days.

Search & Analyze

With everything powered off we started slowly checking each server one by one, and taking samples of the encrypted files so we could send them out for analysis. After submitting the samples to IT Security Researchers we quickly discovered we were dealing with something incredibly nasty: The Dharma -Adobe variant of Ransomware (.cezar family of attacks). This strain is extremely problematic.

Only 1 in 67 anti-virus engines could detect the ransomware

In fact it successfully made its way through their Cisco Meraki Firewall with Advanced Security License, the email security filtering, Microsoft Office 365 mail scans, and past their anti-virus protection.

Put in the time

Even with recent backups available, checking each system individually, completing the restores and testing to determine which backups weren’t compromised, we watched in real-time as Chinese cyber criminals attempted to login to their servers (we blocked some 7,000 attempts per hour at the height of it). It took people on our team in excess of 100 hours of work that week. It was 14+ hour days and extremely stressful. Brent Tibbetts went above and beyond showing up early and staying late.

Summary of the ransomware attack

  • We shut down all workstations before any systems were encrypted and before we got the ransom demands.
  • Our client lost 1-2 days of data (Chinese hackers infected the systems but waited a few days to detonate the payload, so we chose to restore from a backup image taken when we knew 100% of the data was unaffected.)
  • Our client had only a single day of complete downtime, followed by another couple days of interrupted workflow as we got them up and running on temporary systems while we rebuilt the infrastructure.
  • Our team put in 12-14 hour days all week working round the clock to recover from backups and prevent further attacks.
  • We learned that Cybersecurity user training is more critical than ever (stay tuned for an email with cybersecurity tips as well training offerings for clients not already using our preferred eLearning platform: KnowBe4)
  • We saw firsthand how valuable proper disaster recovery backups are; a file/folder backup is not enough if you want to be able to recover from an attack swiftly. Without recent system images of the servers the backup could have taken 1-2 weeks to rebuild all the infrastructure rather than a day.
  • We want to remind our clients just how important good passwords are. If you don’t have a password policy, read this article on How to Create a Strong Password.

A big thank you goes out to our client for their patience and understanding during the attack. It was a huge productivity loss with their whole office not being able to work. No one yelled or made unreasonable demands of our team. We stayed optimistic, worked together and ensured a smooth recovery.

Thanks,

Russell Shulin
Founder & Chief Client Success Officer
Boost IT, LLC

If you’d like to stay informed of cybersecurity news and ransomware prevention measures, sign up on our Contact page.

For more info on how the Dharma Ransomware variant works:

https://latesthackingnews.com/2018/08/13/new-variant-of-dharma-ransomware-discovered/

Where’s My Data? The Future of Cybersecurity

by

More businesses realize cybersecurity is a necessity. Cybercrimes are on the rise and small businesses are increasingly being targeted. Cybercriminals are becoming savvier and their attacks are becoming increasingly complex. The need to stay on the forefront of information technology and IT skills development increases. Just as important is the need to be prepared and ready to respond to a threat and minimize the damaging effects.

In our last blog Cyberattacks: Why Hackers Target Small Businesses, we talked about the realistic possibility of a cyberattack. While the initial phases of diverting an attack in cybersecurity involve intrusion detection and secure software development, there will always be a risk that will get through even the best detection and development technology.

It’s no longer a question of if you will have a cyberattack but when and how you will counter it. Therefore, it’s critical that cybersecurity include risk identification and mitigation, and cloud security. These areas involve identifying risks, creating a plan of reaction and mitigation, and protecting data. It may sound complicated, but Boost IT has a managed security service that is a simple fix.

Risk Identification and Mitigation

A scary form of attack is cryptolocker, a particularly nasty type of ransomware where your computer and network are hijacked, the data is encrypted, and the cybercrimal demands a fee to unlock it. For more in-depth information, refer to the article The Ransomware Nightmare and Its Real Cost.

It costs companies large amounts of money and can take up a lot of time to unlock hijacked computers after a ransomware attack. Once you get the key, there is no guarantee you’ll get access to your data back. In some cases, your data is wiped clean.

Cryptolocker is one of the biggest risks businesses identify when it comes to data protection. By recognizing the need to plan and developing a risk mitigation plan, businesses can evaluate ways to react by developing a plan of action that helps to reduce the threat.

When developing a plan, the question often asked is, “Where is the data?”

Access to data by only those authorized is vital for the continued operation of the business. Therefore, cybersecurity professionals look at all ways to counterattack and protect the data from a breach so you know exactly how to respond to a threat and thus minimize the damaging effects.

Cloud Security

Knowing how your data is stored, who has access to it and how it is protected is extremely valuable knowledge in the face of cyber risk. Therefore, the future of cybersecurity involves more than preparation and planning against an attack. It involves taking precautions to safeguard your data so it will not be compromised and/or can be recovered in a minimal amount of time so you and your employees can get back to business.

As part of a cybersecurity measure, businesses are increasingly migrating to the cloud for data storage. This helps them to access their data at anytime, anywhere. It eliminates the question of where their data is. But it also causes businesses to rely more on the cloud providers to safeguard their data. However, as the cloud infrastructure develops, it becomes a more lucrative target for cybercriminals. Boost IT has ransomware-resistant cloud products.

As attacks become more possible on cloud systems, the knowledge in cloud security is continuously growing. Keeping up with the complexity and continuous training on cybersecurity is necessary. That is why many businesses are outsourcing cybersecurity to Boost IT. We stay on top of the innovative ways to combat cyberattacks and protect your data. To learn more, contact us at 404-865-1289.

Cybersecurity Tips for Small Business

by

Back in January 2015, we wrote a four-part article about cybersecurity tips for small business. The article looked at the four parts of a great security strategy: anti-malware, firewall solutions, anti-virus and patches and updates. This information is still very relevant so we want to review the importance of cybersecurity and provide some basic tips.

8 Tips for Better Cybersecurity

Stay in communication with your IT contact and keep them informed. In part one of our article, we told you about how a client’s employee brought in a computer from home that was badly infected. We didn’t learn about it immediately and the infected computer hammered away at the firewall until it overwhelmed it and caused havoc throughout the network. This could have been avoided with clearer policies and better communication.

Maintain anti-malware on every computer. Malware refers to a variety of hostile and intrusive software that include computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware and other malicious programs. Hackers use malware for a variety of activities such as stealing identity information for fraudulent purposes. Anti-malware protects you against hackers and their schemes.

Keep your anti-malware software current. Hackers are always devising new ways to hijack your computer and access your sensitive data. Thus, patches and updates for new malware protection are always being added to software. Unless you continuously update your anti-malware, you won’t have the protection against hackers’ latest schemes.

Monitor your security. With hackers targeting online sites and hiding malware in them, adjustments regularly need to be made to keep you on guard when users are working online and accessing emails. To help businesses in their security monitoring, we create and review automated security reports and provide remote monitoring and management (RMM) that minimizes downtime and speeds up computers.

Use a firewall to protect your business.  Your firewall is designed to keep your network secure by placing a barrier in between it and other networks. There are many ways the hackers can get into your computer and it is all too easy to click on a link that you think is trusted only to find out it can harm your network and compromise your data. The firewall can help to detect the risk and block it.

Create a comprehensive security strategy and stick to it. Get help from an experienced IT professional and develop a plan for your security. But don’t forget about the plan once it is done. Your security is working well when you don’t have any problems. To keep it that way, you need to continually stay on top of your security and tweak your strategy based on new developments. One way to do this is with our Security component of our Managed IT platform.

Install anti-virus software for added security protection. This is a disputed tip because some people don’t think anti-virus is needed anymore. However, anti-virus software still detects 45% of virus infections. Besides, it is cheaper and faster than in the past. Always use anti-virus in conjunction with a managed firewall, anti-malware software, and a patch management service, which is part of our RMM service.

Upgrade your Windows OS and other software with the latest versions. Some software will have automatic patches and updates installed but there are many situations where these fail. Meanwhile, the user often continues working at risk and unaware of the failure. Patches and updates are built into your OS and other software when you upgrade so you stay secure.

Staying secure is essential for your business. Your ability to work productively and maintain a solid reputation depends on it. Boost IT provides managed IT services that include security and monitoring features that help you stay secure. Find out more by contacting us at 404-865-1289.