Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

When ransomware strikes - how a UK SME coped with a deadly strike on its data

John E Dunn | May 16, 2016
UK SMEs are finding out that expensive security is often powerless to stop extortion.

As a UK-based building consultancy discovered the hard way, being hit by ransomware is like staring down the barrel of a loaded gun during a quiet evening stroll.

One minute the company is a functioning business, the next it's being extorted by people it has never met, a threat it hasn't heard of and an alien crime it might have been only dimly aware even existed.

The firm later traced the fateful infection by a ransomware variant called DMA Locker back to an email attachment opened in Outlook at 21.46 on 6 March, a vulnerable moment because it happened to be a Sunday, a day when most of the firm's 30 employees were at home.

As with so many ransomware infections, the simple act of opening one attachment became a gateway to a world of trouble. The malware immediately started encrypting files on the first PC before successfully reaching out to a series of attached network drives. With nobody around accessing those shares, nothing untoward was noticed until the next day by which time 90 percent of the files the company rated as critical to its business had been scrambled using AES-256 - or at least that's what the malware claimed in the ransom message.

DMA Locker is nothing special by ransomware standards and early variants were even described as amateurish by security researchers when it first appeared in February 2016 due to major flaws in its encryption. It seems likely that the building consultancy was hit by a later patched version that presented a more serious challenge.

Most ransomware demands a modest ransom, usually between $500 and $1,000 in Bitcoins, but this one asked for £6,500 ($9,500), an unusually high price that strongly suggests that the attackers had carried out a targeted raid in which the ransom is calibrated to the likely effect on the victim.

Creepily, it is possible that ransoms are now being decided after the files have been encrypted and their number and value has been assessed.

When ransomware strikes - AV failure

The firm had firewalls - no defence whatsoever against this kind of malware - which meant its only line of defence was antivirus software running on each PC. This layer failed to notice the ransomware, not surprising given that the variant was new. This inability of antivirus to stop aggressive ransomware makes such attacks similar to zero days.

The firm had no security team which meant that reinstating the encrypted files from backup presented an onerous challenge. This is another common theme mong SMEs but even larger organisations with staff on hand find locating backups and installing them a headache that could take days or weeks.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.