Boost IT

Managed IT Services, Cybersecurity, & Cloud

endpoint protection

Atlanta Real Estate Firm Gets Ransomware

by

A Story about Ransomware Detection and Prevention for an Atlanta Real Estate Firm

This is the story of how cyber criminals in China attempted to take down and extort for ransom an Atlanta Real Estate Firm, how the Boost IT team reacted, and what we can learn from it — ransomware prevention in 2020.

How the ransomware hit

It was Monday, January 7th; the first full week after the holidays. The day began like any other Monday — we gathered over coffee, discussed the the fun things we did over our weekends, and had our weekly team meeting to review our client environments. A ticket had come in over the weekend that there was some unusual activity on a client’s servers, and that there was a jump in hard drive activity.

Next was a series of frantic incoming phone calls followed by shock as the gravity of the situation sank in. The day I had been dreading since I founded the company in 2000 was finally here — a client that had repeatedly refused our security recommendations had a full-fledged ransomware attack underway.

Can ransomware be prevented?

In the best cases, our managed security services, when used together, will drastically reduce chances of infection. In fact, our clients that use our full suite of security services have never gotten ransomware. In the worst cases, the the bad guys succeed, data is lost, and ransoms are paid out. Fortunately for us, we were well prepared because our client used our rock-solid, cloud-based disaster recovery system so data loss was minimized.

How we reacted

Shut it down

The first thing we did once we confirmed the attack was have everyone power off their workstations. Once ransomware compromises one machine it immediately spreads to the rest of the network. And even with backups in place, recovery takes time. Restoring a single machine can take 1-2 hours and when handling dozens of machines that can easily turn from hours into days.

Search & Analyze

With everything powered off we started slowly checking each server one by one, and taking samples of the encrypted files so we could send them out for analysis. After submitting the samples to IT Security Researchers we quickly discovered we were dealing with something incredibly nasty: The Dharma -Adobe variant of Ransomware (.cezar family of attacks). This strain is extremely problematic.

Only 1 in 67 anti-virus engines could detect the ransomware

In fact it successfully made its way through their Cisco Meraki Firewall with Advanced Security License, the email security filtering, Microsoft Office 365 mail scans, and past their anti-virus protection.

Put in the time

Even with recent backups available, checking each system individually, completing the restores and testing to determine which backups weren’t compromised, we watched in real-time as Chinese cyber criminals attempted to login to their servers (we blocked some 7,000 attempts per hour at the height of it). It took people on our team in excess of 100 hours of work that week. It was 14+ hour days and extremely stressful. Brent Tibbetts went above and beyond showing up early and staying late.

Summary of the ransomware attack

  • We shut down all workstations before any systems were encrypted and before we got the ransom demands.
  • Our client lost 1-2 days of data (Chinese hackers infected the systems but waited a few days to detonate the payload, so we chose to restore from a backup image taken when we knew 100% of the data was unaffected.)
  • Our client had only a single day of complete downtime, followed by another couple days of interrupted workflow as we got them up and running on temporary systems while we rebuilt the infrastructure.
  • Our team put in 12-14 hour days all week working round the clock to recover from backups and prevent further attacks.
  • We learned that Cybersecurity user training is more critical than ever (stay tuned for an email with cybersecurity tips as well training offerings for clients not already using our preferred eLearning platform: KnowBe4)
  • We saw firsthand how valuable proper disaster recovery backups are; a file/folder backup is not enough if you want to be able to recover from an attack swiftly. Without recent system images of the servers the backup could have taken 1-2 weeks to rebuild all the infrastructure rather than a day.
  • We want to remind our clients just how important good passwords are. If you don’t have a password policy, read this article on How to Create a Strong Password.

A big thank you goes out to our client for their patience and understanding during the attack. It was a huge productivity loss with their whole office not being able to work. No one yelled or made unreasonable demands of our team. We stayed optimistic, worked together and ensured a smooth recovery.

Thanks,

Russell Shulin
Founder & Chief Client Success Officer
Boost IT, LLC

If you’d like to stay informed of cybersecurity news and ransomware prevention measures, sign up on our Contact page.

For more info on how the Dharma Ransomware variant works:

https://latesthackingnews.com/2018/08/13/new-variant-of-dharma-ransomware-discovered/

Making the Move to the Cloud

by

When is the last time you forgot to backup your work? If you remember working before the cloud, you might have thoughts of your computer crashing and losing several hours of work. Luckily, if you’ve started using the cloud, your changes are automatically saved.

Many businesses are realizing the efficiency in storing data in the cloud – no hardware to buy and the costs are predictable. They recognize that if they use a data sharing service for their data and applications, their data is safe and applications can run even during a power outage.

There are many benefits to moving, but it’s important to evaluate if the features and workflow fits your needs and if their platform meets their cloud security requirements.

Understanding Cloud Security

Before moving, spend some time assessing their security measures and verify it meets your compliance requirements, if any. Don’t assume that security will work the same in the cloud as on your premises, or you might inadvertently increase your risk. Unlike when you do something on premise, the cloud is not something that you just change and let flow. You must stay on top of what the provider is doing, log access to the data, and make adjustments to maintain a secure environment.

While data centers and shared infrastructures are designed with intense security best practices, not all service providers offer the same level of security. Avoid making hasty decisions. Check on locations for data storage centers and how the provider abides by regulations. If it is an overseas data center, understand that the regulations and data privacy policies change depending on the country.

At Boost IT, we offer Endpoint Protection as a cloud-based security solution that is tailored for small- and medium-sized businesses.

Recognizing Cloud Failure

While you look forward to having convenience of 24/7 access to your data storage from anywhere you connect, that doesn’t mean there’s zero possibility of hardware failure. Businesses understand that failures happen, but they don’t think about the failure of a provider. You don’t want to be the one who mistakenly assumes that public services won’t fail.

The good news is that if there is a failure, most cloud providers have security systems and disaster recovery plans in place to protect your data. So why shouldn’t you feel smug?

Problems with cloud services happen more frequently than most businesses realize. While these problems are typically not critical, businesses need to adapt their applications to these possible outages. If a business has an application for ongoing applications, there should be a logic trigger built into the app. If the app hits a snag, the logic trigger produces an automatic retry instead of shutting down.

Now, what would happen if there is a bigger snag, such as a prolonged failure along the massive, shared infrastructure? How would your business fare if you couldn’t access a website for an app you work on, or if your main data system is inaccessible?

While businesses often have a mitigation plan for their own system failure, they neglect the importance of mitigating the risk of hardware or other failure in the cloud. To help with making sure you have a mitigation plan that addresses the complexities of the cloud while providing solutions for your specific needs, contact Boost IT at 404-865-1289.