When ransomware strikes - how a UK SME coped with a deadly strike on its data

UK SMEs are finding out that expensive security is often powerless to stop extortion

As a UK-based building consultancy discovered the hard way, being hit by ransomware is like staring down the barrel of a loaded gun during a quiet evening stroll.

One minute the company is a functioning business, the next it's being extorted by people it has never met, a threat it hasn't heard of and an alien crime it might have been only dimly aware even existed.

The firm later traced the fateful infection by a ransomware variant called DMA Locker back to an email attachment opened in Outlook at 21.46 on 6 March, a vulnerable moment because it happened to be a Sunday, a day when most of the firm's 30 employees were at home.

As with so many ransomware infections, the simple act of opening one attachment became a gateway to a world of trouble. The malware immediately started encrypting files on the first PC before successfully reaching out to a series of attached network drives. With nobody around accessing those shares, nothing untoward was noticed until the next day by which time 90 percent of the files the company rated as critical to its business had been scrambled using AES-256 - or at least that's what the malware claimed in the ransom message.

DMA Locker is nothing special by ransomware standards and early variants were even described as amateurish by security researchers when it first appeared in February 2016 due to major flaws in its encryption. It seems likely that the building consultancy was hit by a later patched version that presented a more serious challenge.

Most ransomware demands a modest ransom, usually between $500 and $1,000 in Bitcoins, but this one asked for £6,500 ($9,500), an unusually high price that strongly suggests that the attackers had carried out a targeted raid in which the ransom is calibrated to the likely effect on the victim.

Creepily, it is possible that ransoms are now being decided after the files have been encrypted and their number and value has been assessed.

When ransomware strikes - AV failure

The firm had firewalls - no defence whatsoever against this kind of malware - which meant its only line of defence was antivirus software running on each PC. This layer failed to notice the ransomware, not surprising given that the variant was new. This inability of antivirus to stop aggressive ransomware makes such attacks similar to zero days.

The firm had no security team which meant that reinstating the encrypted files from backup presented an onerous challenge. This is another common theme mong SMEs but even larger organisations with staff on hand find locating backups and installing them a headache that could take days or weeks.

It's all part of the extortionist's business model - the cost of reinstating encrypted files (assuming such backups exist for all lost files) - costs more than the ransom. An unknown but growing number simply pay up because it's the cheapest option.

Managed security provider and IT consultancy Alchemy Systems was called in by the victim, presumably by this point pretty desperate for some way out. Alchemy describes the clean-up as taking about a day with systems fully restored in a week.

With the current AV unable to detect let alone stop the ransomware in question, Alchemy installed Panda Security's Adaptive Defense 360, a cloud-based system along with "beefed-up" endpoint security and continuity systems in case of a repeat attack.

"As is often the case following the attack the building consultancy wanted to ensure that nothing like this happened again," comments Panda's marketing manager, Neil Martin.

"Traditional antivirus solutions based on signatures, heuristics and behavioural analysis are reactive and there is always a latency, we call the 'window of opportunity', between the malware being created and subsequently blocked.

The cybersecurity firm calculates that around a fifth of new malware goes undetected by antivirus in the first day of its existence, more than enough time to do serious damage.

He argues that the cloud-based design of Adaptive Defense 360 is better suited to stopping current malware than a simple endpoint client of the sort used by many home users and SMEs. Defence needs far more layers to have a chance.

Panda Security's Adaptive Defense 360 takes this further through continuous endpoint monitoring of all processes, gathering 1000's of features on each such as 'where did it come from, 'how did it execute', 'on which system'. All of these are used as part of the machine learning along with manual checks from Panda Labs Experts that identifies and blocks malware.

"We don't allow anything to run until we know exactly what it is."

The victim in this case was understandably unwilling to reveal itself. Many other victims aren't even written up at all. Some even suffer in silence, middle through or, sad to report, pay up.

It's a dark experience more and more UK SMEs and even large enterprises find themselves living though although smaller firms are in greater danger because they often lack the knowledge to cope.

When ransomware strikes - lessons?

There are no simple or comforting 'what to dos' to draw from the incident. It was a typical ransomware attack on a UK SME that was poorly defended to resist this kind of predation. What is clear is that organisations of all sizes can't rely on cybersecurity based on single layers of defence that fail gracelessly. More layers are needed so that there is not one single and brittle weakness that can be bypassed.

Every firm needs to devise a plan as to how it will respond not simply to malware in general but extortion specific attacks such as DDoS, ransomware, web defacement, data breaches or a combination of all of the above. Having backups is a start but not on its own enough.

For small companies, the best place to start is to find an expert third-party consultancy, preferably one that can prove it has business experience of dealing with such attacks. This partner will also be able to advise on the vulnerability of the network, which is to say outline the sort of damage a typical attack could do and how quickly. Reconfiguration might be necessary.

Most of important of all, companies shouldn't wait for trouble to strike. Ransomware is not a new threat but it shows no sign of going away, far from it. It is evolving and the targeting is becoming better and better. Every and any company is at risk. Don't ignore it; give yourself a chance by understanding the enemy.

Join the CSO newsletter!

Error: Please check your email address.

More about DMAPandaPanda Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place