Chronology of a Ransomware attack
A Ransomware attack is a much-used term globally and has been for several years.
Here at DTS InfoTech, we’ve come to learn that the daily global coverage of this Ransomware crisis is little more than background noise for most people. At least this is the comment we hear most often from the business owners we have talked to.
Their dismissal of this background noise is even understandable. We get it.
However, many businesses, small businesses, in particular, are not taking this threat seriously.
In our experience, which after twenty years in IT Services, is substantial, we believe small businesses should be wide-awake and frightened by the thought of an actual Ransomware attack on their business.
But most business owners are far from being afraid. Why?
By and large, the thinking of many small business owners is, “We’re too small for anyone to attack us, and besides that, we don’t have anything of real value that hackers would want. More concerning is having to spend my hard-earned money, that is not in my budget, on Ransomware protection.”
Hard-earned money? We get it! But we cannot think of a more misguided or uninformed decision to make.
In this article, step by step, we describe what happens during and after a Ransomware attack.
We explain the steps a company will have to take during the attack and after the attack when a crippled company tries to put Humpty Dumpty – a.k.a. their business - back together again.
The good news is this. Sometimes Humpty Dumpty can be put back together! The bad news is this, sometimes Humpty Dumpty cannot be put back together, and their business closes.
A Ransomware attack is the theft of your data. Then they take your money, and then they sometimes sell your data.
Each business is unique, but the way an attack unfolds is reasonably straight forward, and easy to understand, because the goal of the hackers is always the same, find, steal, and encrypt the company data of their target. After they’ve successfully taken the data, they then demand money - a ransom - to release the data.
Those who have experienced an attack - there are thousands of companies who have lived through it – are so traumatized they never want to experience it again. So, if you think that it won’t happen to you, you should reconsider.
At your business, if you have to defend against a Ransomware attack, your situation will be unique.
As such, the actual steps in this story are generic, based upon our experience and global statistics.
We hope this story, based upon actual real events, will help you to think through your response.
Your Ransomware story.
This could happen to you.
It’s early in the morning—the start of another ordinary day at your office. But this day will unfold in a way that is anything but ordinary.
The steps of your attack:
1. An email arrives at your company. The email contains an infected attachment. But you and your employees won’t recognize how dangerous this email is because this email looks completely normal, legitimate.
You can’t tell its attachment is infected. This deadly email looks like any other email you receive.
2. Someone in your company sees the email, opens it, and begins reading it because that’s what we all do at our jobs.
Collectively, around the world, we opened – 269 billion emails per day in 2017 – and began reading to see how we have to respond to it in the course of our day.
3. The attachment looks like any other - nothing new here. A lot of emails contain attachments. It’s how we communicate in the twenty-first century. So, the attachment is clicked on and opened.
But unbeknownst to the first employee who opened the email, and subsequently began reading the attachment, this attachment is infected with malware, Ransomware.
In a nano-second - this now opened attachment releases an evil genie out the bottle. It’s an attack designed to encrypt data files. But the employee who opened the email and the attachment sees nothing different. It’s just one more of many emails with an attachment, and they continue working.
4. But inside your computer network, file by file, your company data is being encrypted by the evil genie.
Encrypted is the term used for modified files that now look like gobbledygook. Data made unintelligible by excessive use of obscure technical terms.
Unintelligible. That’s what your company data is now. It’s useless. You can’t read it and neither can any of your computers.
5. The phone on your desk begins ringing.
One of your co-workers calls to say, “I can’t open QuickBooks. I can’t open our accounting files either.” You tell him, “Uh, that’s weird. Okay, I’ll come over and have a look.”
Agitated that your day has started like this, you hang up the phone and stand up from your desk. But immediately, your phone rings again. This time, it’s the manufacturing department calling. They ask you, “Have you tried opening any of our engineering files this morning? We can’t open ANY of them! ”
You tell them you’re on your way.
But as you’re on your way over, more people, in different departments, are stopping you as you walk by, reporting the same problem. They can’t access company data. They look at you and say, “You know, this problem is happening across the whole company. What’s going on? ”
Your employees are confused, and they look like it. Your agitation turns to fright, and you’re getting scared. This problem has never happened before. You don’t know what to do. You try to control your emotions.
6. Computer by computer, all of your computers are unable to open company data files. All of your computer systems are virtually inoperable.
The Ransomware that has attacked your company is sophisticated, meaning it will be mathematically impossible for anyone to decrypt your data files without access to the decrypt key that the attacker holds.
Your anti-malware software won't necessarily protect you. Why? Ransomware is continuously being written and tweaked by its developers, and so its signatures are often not caught by typical anti-virus programs.
7. At the same time, you’re contacted by the attacker and informed on how to pay the ransom, $15,000.00. They tell you that after they receive your payment, they will send you a decrypt key, so you can decrypt your files and get back to work. Have you ever used a decrypt key?
But first, the hackers want money. A lot of money, in the form of Bitcoin.
8. Do you have a Bitcoin account? Probably not. Most people don’t even know what Bitcoin is. If you don’t have an account, you’ll have to open one, and it takes a few days to get the account operational before you can pay the ransom.
9. Remember, at the very same time, while all of this is going on to your business, you have no access to your company data. You can’t do business. Your customers want service, but you can’t service them. They’re asking questions, and you can’t answer their questions.
Company Data = customer service; no customer service = no business; no business = no $.
10. After your Bitcoin account is set up and you pay the ransom; hopefully, the hackers who attacked your business will send you the decrypt key. Only then, after your data is decrypted – made useable again - will you have access to your data. Now you can get back to servicing your customers.
But here’s the kicker. The decryption keys only work about half the time. The other half the time? Well, you’ve just sent $15,000 to an anonymous attacker, and you have still lost all of your data. Attackers are criminals. There is no warranty if the decryption doesn’t work.
11. Do you even know what a decrypt key is? Have you ever used one?
Those steps take several days and several sleepless nights to complete. But your business is still down.
Now that we’ve described the actual attack, let's talk about the aftermath. It gets worse.
What happens after the attack and the ransom is paid?
In no particular order - and at a minimum - the following unimaginable things happen to your business:
• Financial – Your business will not be able to serve your customers. You will continue losing money.
• Loss of customers – Customers are forced to find the service or product you provided somewhere else. When they leave, your stricken business may lose them as a customer permanently. These unhappy former customers will probably tell their friends.
• Reputation – Customers will leave your company when they find out their banking information was left unprotected by your company, known as reputational loss.
• Employee loss – Your business may have to lay off employees if you can’t meet payroll. Good employees are hard to find and just as hard to keep.
The only other disasters that come to mind as devastating as a Ransomware attack is the physical loss of a business location due to fire, flood, or other disasters.
But Ransomware attacks are a breed unto themselves in terms of the types of damage they do.
There are many obstacles to overcome after this type of attack.
People understand a business burning down. Good Samaritans will help a stricken company. But it’s a different response if you allow a customer’s banking information to be stolen. Many people will desert a business found guilty of losing trust.
Your customers will look for a business they can trust. Losing customers will wreak havoc upon your business in ways a fire, or other disasters, never could.
While recovery costs and regulatory fines make a data breach an expensive pitfall, the damage to a company’s reputation can never be fully known or repaired.
Customers and even employees are not willing to work with companies that can’t protect their information.
It’s difficult, if not impossible, to accurately know the damage inflicted upon a company’s reputation. Data breaches have life-changing consequences for the owners of failed businesses. The failure will have a domino effect that outlives the initial attack and aftermath of trying and save a company and jobs.
You simply must protect your business from these types of attacks.
Ransomware attacks are on the rise globally, but even more alarming is the percentage of successful attacks that are on the rise as well. Why? Hackers are true professionals at deception.
Their emails look legitimate. They look real. Their appearance is so good that at first glance – on a busy day - you can’t tell the email came from a criminal who is trying to steal from you. Most people are unsuspecting and trusting. That’s why these criminals are becoming more successful.
You must defend your technology infrastructure and plan a comprehensive recovery plan.
Still not concerned about Ransomware?
If you think you know all about Ransomware, don’t turn your back on it, assuming you’re okay. If you have turned your back, you’re probably not okay, and you’re inviting trouble by ignoring this global ever-present growing crisis.
The plan. Ransomware protection layer-by-layer.
We’ve found the best approach to defeat the Ransomware threat is by using a simple four-layered method or approach. By four-layers, we mean employing:
3. Employee education
4. Technology expertise
When you combine all of these - every one of them - you can be confident your business will survive a Ransomware attack with minimal disruption to your business.
However, if you don’t employ a layered approach, your business probably will not survive the attack.
DTS InfoTech can help.
We’re are IT Service professionals. Unfortunately, a growing part of our service is protecting companies against Ransomware attacks.
Most small businesses do not have the expertise, tech-savvy, or time to understand all Ransomware issues. If this describes you, we can help.
If you would like more information about how to defend your business against Ransomware, please give us a call, we’re always happy to chat, and the call is FREE! Calls are always free.
Return to: Return to Ransomware
Dedicated to your success,
Business Development Manager
dts|infotech . . . secure computer networks that work