Last year, I wrote about a ransomware infection that encrypted the hard drive of one of my company's employees. In that situation, a live, in-person scammer called the employee, claiming to be from "technical support," and tricked the employee into visiting a website that infected his computer. As with a similar situation I wrote about in 2012, the infection came from an advertisement on the front page of a major news service's website. The website runs rotating ads, one of which was compromised and hit the victim with a drive-by malware infection (without any intervention by or even the knowledge of the victim). I thought that because the infection was on the victim's personal computer, not on my company's network, we were pretty safe. I thought that if it had been on my network, the attempt probably would have failed, or would at least have been detected right away.
As it turns out, I was both right and wrong. I encountered ransomware again, this time on my company's network, and this time it did some damage.
Last week, one of my company's employees was hit with CryptoWall ransomware in the office. Just as I expected, my state-of-the-art SIEM and its intrusion-detection data sources detected the infection right away. My team got the alert at 9:05 a.m. and dropped everything to respond to the alert. They sprang into action immediately, just as I've drilled them to do. They knocked the infected workstation off the network and shut down the infected computer by 9:10.
But this ransomware did not fail. In the less than 5 minutes it was active, it did a lot of damage.
First, the ransomware encrypted files in the personal folders on the computer. This was no big deal, because the employee didn't have any important files stored locally -- which I was pleased to discover, because I make a point of telling everyone to save their important files on our network, where they are backed up and access-controlled, instead of on their computers. But what the ransomware did next was a lot worse.
The ransomware crawled through all the network drives mapped to the victim's computers, in alphabetical order, and encrypted all the files he had access to -- which was a lot. Over 10,000 files in all were encrypted, affecting over half the company. For each file that it encrypted, the ransomware left behind a text file containing instructions on how to decrypt the files -- namely, by installing a TOR (anonymous network) browser, visiting a particular URL, purchasing Bitcoins, and using them to make a payment to the hostage-takers. While I was reading these instructions, my phone was ringing off the hook with various employees demanding to know why their important business files were not opening.
Sign up for CIO Asia eNewsletters.