Ransomware – Old Accounts, New Problems

We recently helped a new client solve a ransomware problem.  In case you are unaware, ransomware takes all your files and makes them unreadable until you pay a ransom amounting to several thousand dollars.  This was the third time they have had this problem; the first time we’ve been involved.

The problem was discovered at 3:45 on a Wednesday afternoon.  What’s important in this story isn’t how we were able to recover their servers before employees came to work Thursday morning, with minimal data loss.  Many IT services companies probably could have accomplished the same thing.

What is important here is that the problem was finally solved.  This was the third attack on this network.  Previous IT providers had fixed the symptoms, but not the problem. Data was recovered from backups, computers cleaned of various pieces if malware.  Possible explanations were provided as to potential causes.  In fact, several employees were blamed as being the source of the problem.

In the end the real problem was poor IT management practices.  Five years ago, an account was created on the network that had access to almost all data on the network.  No one really remembers why the account was created, no one even remembered that the account existed.  This account was created with a very easy password and the account was not disabled when it was no longer required.

This lapse allowed an unknown person to guess the password and log into a company server from across the world.  The bad guy was then able to encrypt all the data and shutdown the business.

Recovery was fairly simple; the client didn’t have to pay the ransom because they had a backup. They did however pay for emergency IT services to solve this problem.  Fifteen minutes of maintenance would have kept the business running and saved thousands.

There are a few lessons here for you:

  • Keep user accounts up to date, remove or disable them when they are no longer required.
  • Require strong passwords. No need to go overboard, but they should be at least 8 characters long and include UPPER and lower case letters as well as numbers and special characters.
  • Ensure your backup is working as expected; also ensure that you are comfortable with the amount of data you will lose if you need to recover as well as how long recovery will take.

#cybersecurity #infosec