It was 2016 and bitcoin was hovering around $500. At Jasco Technology, we had just started servicing a new client we’ll call “Acme Co.”.
Acme had never used a professional IT management company before. For data protection, they were doing their own cloud backups and had never been in a situation where they needed to restore data from these backups. Acme had always assumed their cloud backups were working as expected. We offered our own backup services multiple times, but they declined.
Two months later, Acme’s backups would be put to the test.
One day the owner received an email from someone he did not know with a PDF purchase order attached. Besides the poor English, the email looked normal enough – they received purchase orders from customers and vendors all the time. He opened the PDF attachment but nothing displayed on his screen, so he tried a few more times with the same result. What he did not realize was that he had activated a ransomware program. It was now installed in Acme’s network and running an encryption program in the background, systematically locking them out of all their data. 30 minutes later, all of Acme’s files were locked and unusable.
Acme called the Jasco Technology Help Desk to report that every file they tried to open reported an error. This instantly let us know they had fallen victim to an email phishing scam (the fake purchase order) and were in the grips of a ransomware attack.
We immediately took action by determining that the attack vector was the email sent to the owner. The attachment he downloaded was not a PDF, but rather a ransomware application which he inadvertently installed. These are surprisingly easy to obtain – in fact, ransomware-as-a-service, or RaaS, can be purchased on the internet.
Our next actions were to isolate the affected computer to prevent any spread of the malware, and then restore Acme’s data from their backup. We opened their backup program with the help of the owner and we found…nothing. The backup program had no backup jobs scheduled, and not a single file had ever been backed up.
With restoring their data no longer an option, we moved onto the alternative: paying the ransom to recover the files. A friendly note from the hackers told us how to access their dark web payment portal, so Acme could transfer 3.5 bitcoins (about $1,900 US dollars at the time) to receive a key that would unlock all of Acme’s data.
In 2016, bitcoin was not the household name it is today and buying them was not a simple process. After some difficulty, we were able to buy the bitcoin through an online dark web message board. For those unfamiliar with the dark web, it is an unindexed layer of the internet originally created for secret communication between US intelligence agencies. It is accessible only with specialized web browsers, but these are readily available. Though it still has important legitimate uses, like protecting human rights workers and journalists from authoritarian censors, it has become the global black marketplace. Everything from weapons to narcotics to stolen data can be bought and sold on the dark web. And of course, pre-packaged malware like RaaS.
48 hours after the owner had opened the PDF we were ready to pay the hackers and get Acme’s files back. We followed the instructions the hackers had given us and accessed their dark web payment portal, entered the transaction number and transferred the 3.5 bitcoins to their Bitcoin wallet. We then received a message that said, “Thank you, we will be processing the transaction. The link to unlocked files be here shortly, check soon again”.
After some time we were given the promised key. We were able to recover all Acme’s files in about six hours. In total, they were locked out of their business data for three days.
Acme and Jasco Technology learned some critical lessons:
• Backing up a business’s data is ultra-critical and should be monitored daily. At Jasco Technology, we no longer allow our clients to manage and monitor their own backups – we use our backup system and monitoring.
• Acme is a run-of-the-mill small, local business. Cybercriminals choose these types of businesses, rather than larger enterprises with deeper pockets, specifically because they are confident they lack the cybersecurity planning to mitigate the attack, thus ensuring they are forced to pay the ransom.
• We always need to assume viruses, ransomware, and malware will occasionally get through even the best antivirus and email security services because of human error. Security Awareness Training is an essential security tool, as your employee is the final line of defense between your company’s data and hackers.
• Lastly, it’s important to remember that there are multiple costs associated with a cybersecurity event. While $1900 may not have been much on its own, Acme was out of business for three days. They also had to inform all of their clients and employees of this breach, losing trust and reputation in the process.
If you are unsure of your business data backup situation, feel free to contact us. We’re happy to answer any questions you may have. If you suspect you’ve already experienced some kind of malware attack or breach, consider our Dark Web Scan. It will quickly reveal if your passwords or other sensitive information have been compromised and are for sale on the dark web.