This particular ransomware tale diverges into two separate storylines. One involves all that I am doing to determine just how the PC was victimized. I got as much information as I could from the user. The problem arose after he was prompted to reboot. At the time, he had been logged into our company’s performance management tool, entering his objectives for the next quarter. He figured the reboot was related to a patch installation and went ahead. Other lines of inquiry — What else had he been doing? Was another browser window open to a suspicious website? Had he downloaded any programs recently? Did he let others use his computer? — didn’t turn up anything suspicious. I spent some time reviewing his archived email to see if I could find some sort of phishing missive with a malicious link. Nothing. So far, I haven’t turned up a smoking gun, so a forensic examination of the PC will be necessary.
I had the user ship it to me, and I am exploring forensic examination options. Lacking the budget for sophisticated forensics software or analysts, I’ll make a mirror image of the drive and attempt to dissect it myself with some open-source tools. If I’m not successful, I’ll consider hiring a third party.
The other path is to take advantage of this event to get funding for new tools that will safeguard us from a recurrence. From my perspective, it’s helpful that the user lost some critical project plans and data that he was using to implement our software for some strategic customers. (I know the user will have a harder time seeing the silver lining.) We could end up with a new antivirus solution, with ransomware detection, and new backup and systems management solutions, all cloud-based.
Sign up for CIO Asia eNewsletters.