Ransomware: You Have 8 Hours to Comply

It’s 15:22 on a Friday afternoon in Stockholm. Sales Manager Joel Angström is winding down the work week. It’s been a good week for him: that lucrative new client had signed… finally, his experimental new pitch format had been well received but the icing on the cake? He had secured a reservation for tonight at the elusive new pop-up restaurant le homard en lunettes.

As he scrolls through the menu on his phone, he paused for thought. What dish was it that Henrik had recommended to him? Looking out the window as he tries to remember, something catches his attention. A flash on his laptop screen. A red outlined pop-up notification window appears.

Not one that he recognises, he leans in closer to the screen to read it. Next to a large red padlock, he sees a countdown. 00:07:58:34. Accompanied by a short question and answer section. “Ooops, your data has been encrypted,” it starts. Beginning to panic, Joel closes the window. Only for it to automatically open again.

Joel feels a cold wave of anxiety wash over him. He tries to close the window again. It pops up again. Reading through the text, he sees directions on how to transfer money to a bitcoin address. Frantically, he tries to open up some of his files on his desktop. Yet he is met with the same window. “To access your encrypted files, you must transfer and then run decrypt0r.exe”.

What had previously been a good week for Joel, was about to turn into a disastrous one.

No Way Back?

Okay, let’s pause things for Joel here. This is a scene that plays out in workplaces across the world on a regular basis. The cause? Ransomware. A virus-type piece of malware that seeks not to simply cause havoc or add a new host to a botnet but instead seeks out a monetary reward. Statistics show that internationally, a new organisation is infected with ransomware every 14 seconds.

From this point in Joel’s situation, there are a few possible scenarios that could play out. All of which were dependent on what preparations had been made for events like this.

After all, nobody thinks they will fall victim. It’s one of those things that you just hear about on the news, right? For good reason too, it’s a hidden threat: why would an organisation unveil that they had become a victim? Much easier to stay quiet, less issues with stock holders and customers that way...

In this situation, Joel’s laptop might had been the first to be infected with ransomware but it wasn’t the last. Like wildfire, the malware spread across the office in seconds, assisted even by the many IoT unsecured devices. Finally reaching its viral crescendo in the server room.

Scenario 1: Crunch Time

Things are getting hot in the office and it’s not just because the door to the server room has been left open. There’s a backup available... but it’s on a server. Like all other servers, all files have been encrypted with 256-bit AES by ransomware. Brute forcing the key would take millions of years… with a supercomputer.

Things aren’t looking hopeful in this scenario. It looks like re-installation of server operating systems might be the only option. That would take a lot of time. Not to mention the massive data loss of content. This is going to hit the company hard.

An infamous case study for this type of scenario is Norsk Hydro, an aluminium maker. Over 22,000 devices were encrypted meaning that the entire workforce of 35,000 employees had to resort to the use of pen and paper. It caused over $40 million worth of damage and that’s only in the first week.

In these situations, organisations are forced to scrape together the data that is distributed, locally or on person cloud storage. It includes internal employees and external organisations such as advertising agencies that have access to marketing materials. This means trawling through file-storage providers such as Dropbox and old email attachments. After a long and tiring search, in a best case scenario those involved can be expected to gather only a small percentage of the lost data.

Of course, there is another option but it comes at great risk both financially and morally: to pay the ransom. See here for an example of an organisation that transferred over $600,000 to cybercriminals in the desperate hope that they would decrypt their files. It’s not a route that anyone would want to choose but research shows that it’s the route that many organisations take, with millions transferred every year.

The reason? They would rather take the risk and what they predict to be a smaller financial loss, than deal with the reputational damage and even greater long term financial damage that comes with losing so much content. Of course, they have absolutely no guarantee that after transferring vast sums to a bitcoin wallet, with no other information, that they will have their data decrypted.

After all, when the effects of ransomware are so devastating that 1 out of 5 companies that have data infected with ransomware then go on to become bankrupt, paying the ransom becomes all the more alluring to organisations. The cases where the criminals have been paid off that become publicized are merely the tip of the iceberg, many choose to stay hidden and this behaviour explains why ransomware continues to be so popular and profitable.

Scenario 2: Recoverable

In this scenario, proper backups have been made. Restoring to a save point prior to the ransomware infection will take time but could feasibly be done by the IT staff over one day. In the example of Joel, things could be back to usual in the office come Monday morning. As if nothing even happened.

Where are the case studies for this? They’re not out there. The reason? Why would an organisation publicise this information? After all, where’s the news in the simple restoration of a backup?

This blog is part of a series about Picturepark’s Suisse Safe offering. Delivering a high-grade recovery option within Swiss hosted data-centres, with secure tape backups taken and stored offline.