Data held hostage; backups to the rescue

Some ransomware travels quickly from one computer to the entire network. The bad guys are moving fast nowadays.

Last year, I wrote about a ransomware infection that encrypted the hard drive of one of my company's employees. In that situation, a live, in-person scammer called the employee, claiming to be from "technical support," and tricked the employee into visiting a website that infected his computer. As with a similar situation I wrote about in 2012, the infection came from an advertisement on the front page of a major news service's website. The website runs rotating ads, one of which was compromised and hit the victim with a drive-by malware infection (without any intervention by or even the knowledge of the victim). I thought that because the infection was on the victim's personal computer, not on my company's network, we were pretty safe. I thought that if it had been on my network, the attempt probably would have failed, or would at least have been detected right away.

As it turns out, I was both right and wrong. I encountered ransomware again, this time on my company's network, and this time it did some damage.

Last week, one of my company's employees was hit with CryptoWall ransomware in the office. Just as I expected, my state-of-the-art SIEM and its intrusion-detection data sources detected the infection right away. My team got the alert at 9:05 a.m. and dropped everything to respond to the alert. They sprang into action immediately, just as I've drilled them to do. They knocked the infected workstation off the network and shut down the infected computer by 9:10.

But this ransomware did not fail. In the less than 5 minutes it was active, it did a lot of damage.

First, the ransomware encrypted files in the personal folders on the computer. This was no big deal, because the employee didn't have any important files stored locally -- which I was pleased to discover, because I make a point of telling everyone to save their important files on our network, where they are backed up and access-controlled, instead of on their computers. But what the ransomware did next was a lot worse.

The ransomware crawled through all the network drives mapped to the victim's computers, in alphabetical order, and encrypted all the files he had access to -- which was a lot. Over 10,000 files in all were encrypted, affecting over half the company. For each file that it encrypted, the ransomware left behind a text file containing instructions on how to decrypt the files -- namely, by installing a TOR (anonymous network) browser, visiting a particular URL, purchasing Bitcoins, and using them to make a payment to the hostage-takers. While I was reading these instructions, my phone was ringing off the hook with various employees demanding to know why their important business files were not opening.

Fortunately, we did not have to do any of that. We simply restored the original files from backup. We also used a downloadable decrypter made publicly available by a well-known antivirus company to unlock the few files that were more recent than the last backup. That whole process took about two hours.

How did this happen? After discussion with the affected employee, I learned that he was just looking at the day's news on a major news agency's website, and had not done anything to trigger the ransomware infection, just as has happened in the past. He received neither a notification nor a request for confirmation of the malware's installation. In fact, the only people who knew about the infection were on my team. Without our network monitoring, there would have been zero knowledge of the ransomware until somebody discovered the encrypted files.

What concerns me most about this incident is the speed at which this malware infection deployed itself and did its damage. My team responded as fast as humanly possible, yet the ransomware got in and out of our network storage before they could stop it. This tells me that none of us can expect to be able to stop, or even contain, the damage caused by malicious code while it is active. And knowing that malicious code comes from well-known websites and enters my network without any user intervention, I now realize I can't prevent all malware infections. I just have to be ready for the next one -- and be prepared to do damage control.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Click

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By J.F. Rice

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts