What Usually Happens In a Ransomware Attack

Posted by Chris Hartwig on Oct 5, 2017 9:20:28 AM
Chris Hartwig
submit to reddit

 

wpd_wannacry_attack_graphic

 

So, you got hit with ransomware today. You know…. that thing you’ve been hearing about that encrypts your data and holds it for a bitcoin ransom? You were so sure ransomware would never infect your network because you have an email filter, you have a firewall, you have up-to-date antivirus installed on your desktops, and you are probably using FSRM to control what files can be saved on your file server. Even if you did get hit with ransomware, you would probably just use one of those neat decryptors to reverse it. That sounds like several layers of protection that should stop any intruder, right??

Wrong. This afternoon you got a call from Jodi in Human Resources who opened a resume from “the most exciting Payroll candidate ever.” After she opened the document and enabled macros, she started to see strange text files appear on her desktop with the title “how_to_decrypt.txt” and now she can’t open other documents in her departmental share. Jodi has no idea what is going on, so she submitted a vague ticket with the help desk and then she went to lunch.

Simulate Ransomware on Your Network

Jodi’s ticket is now sitting in the help desk queue competing with five other tickets which at first glance all seem to take a higher priority since Jodi went to lunch and kindly gave IT an hour to prioritize and give attention to her ticket when they were ready. Although the help desk doesn’t see Jodi’s ticket as a priority at first, they start to give it more attention when 15 minutes later Matt in Marketing calls the help desk directly and explains “I need marketing materials printed for the CEO’s luncheon today, but when I click on my documents it says they are corrupt!” Matt further explains he has a couple of files named “how_to_decrypt.txt” on his desktop.

This is starting to feel like a ransomware attack

You know that feeling you get when you think you’ve seen a ghost? Your pulse rises, a bead of sweat breaks out on your forehead, and you feel panic start to set in. Yup, that’s what it feels like to realize you are under attack from ransomware. The first questions that come to mind are always:

Eventually, in your panic, you order everyone to shut down their workstations, and you pull the network cable at either the server or modem to stop internet traffic, and you finally notice the strange process running on the server called “Picnics Pounces Preserves” which you end task to stop the ransomware attack. Triage of the server shows that an hour has passed since the ransomware attack began and now 2 Gigs of data is encrypted and inaccessible.

Stopping the attack is just the beginning

You stopped the attack but take a look at where you are now. Gigs of data on your file server have been encrypted, including your important data management system. When this system goes down, you can’t service customers, and your employees cannot work. Instead, they are walking around socializing and constantly asking IT when they will be able to get back in the system. At this point, every minute that passes equates to dollars lost by the company.

Knowing the fastest route to recovery is to restore the encrypted data you go to your backup system and check on your last restore point. Unfortunately, the last good backup took place a week ago. Reverting to files from a week ago isn’t going to be acceptable, and your CEO isn’t going to be happy that his/her documents cannot be restored for that important luncheon today. It’s starting to look like you may need to pay that ransom. Now the questions are really getting scary. “If we have to pay $1000 to get the company data back and the company just lost $30K due to a couple of hours of downtime; is my job on the line?”

Becoming increasingly worried not only about your company data and if it can be recovered, piled on top of the mounting pressure of possibly being held responsible for this, is really ramping up your anxiety. You frantically search Google for answers but come up empty-handed. Then you find a link that might save your day. On Watchpoint’s ransomware decryptor page, you find hundreds of decryptors. You enter the new file extension that was appended to your encrypted data and hit search, and for a split second you hold your breath in anticipation of receiving a number of hits on decryptors that could decrypt your data.

No Decryptor Available for your Ransomware Variant

As a WatchPoint employee, I’m sorry to say that I know all too well how quickly that moment of hope turns to disappointment. I answer several chat sessions each week from people who have servers or desktops with data encrypted by ransomware. Nine times out of ten, it’s always the same conversation. "We do not have a ransomware decryptor available for the variant you have been infected with."

I’ve said it so many times I should probably create a macro to answer the question automatically but I always hold out hope that I’ll be able to help with the decryption and try to offer other suggestions someone hasn’t tried. Thousands of new ransomware variants are created each day, so the odds that a ransomware variant will have a corresponding decryptor is close to zero. Typically, decryptors are created for variants like Locky, TeslaCrypt, and WannaCry that got a lot of attention because infections were so widespread. Antivirus companies worked quickly to decrypt these versions, but thousands of other variants encrypting data every day never get their 15 minutes of fame, or a decryptor created.

Is all hope lost?

In the case of not having a good backup and no decryptor available, you are running out of options. You can always pay the ransom, and maybe you will get a key to decrypt the data. The odds are just as good that you will pay the ransom and receive nothing in return, or you might not be able to decrypt all your data. Paying the ransom is also highly discouraged. Instead, you are encouraged to take the loss so that cybercriminals might give up their endeavors if no one pays. Although I agree with it being a bad idea to pay the ransom, it’s also too late to stop the cybercriminals from launching attacks. Cybercriminals created an entire new industry which is now their main source of revenue and life is good for them because the money is rolling in. It’s tough to tell people living in the cybercriminal world that they should find another source of income. Even the FBI acknowledges that ransomware will be a billion-dollar industry in 2017.

Ransomware Detection with CryptoStopper

Network security should be looked at like an onion. Just like an onion has many layers, so should your network defenses. WatchPoint has written extensively about layered security and has a number of suggestions that you can implement today to further fortify your network. To stop all ransomware attacks, including all known and zero-day ransomware, you need a product that will detect and stop ransomware encryption in its tracks. WatchPoint developed CryptoStopper for that exact purpose. CryptoStopper uses Deception Technology in the form of watcher files placed in your important network shares. It continuously monitors the watcher files for the encryption process to start and will identify the ransomware attack in seconds. CryptoStopper will immediately isolate the infected workstation from the network and then shut down that workstation. It will send you an email notification letting you know a ransomware attack has been discovered and contained.

WatchPoint Decryptors

Here is a link to the WatchPoint decryptors page. You can search the list by ransomware name or by the new extension appended to your encrypted documents. WatchPoint added 45 new decryptors this week including decryptors for variants like WannaCry, Crysis, and Jaff. We hope you never need to use our decryptors and can help make sure that you don’t with CryptoStopper.

Sign up for a free trial of CryptoStopper today.

 

Continue Reading....