A nudge from ransomware

Our manager needs to get remote users’ PCs backed up without forcing them to connect to the network, which they rarely have to do these days to do their jobs.

Just a couple of months ago, I discussed two of my current challenges: securing a remote workforce when most of the applications that folks use are cloud-based software as a service (SaaS), and having employees who, thanks to those SaaS apps, have no reason to connect to the corporate network and therefore rarely access the IT infrastructure.

Well, this week, a situation arose that could expedite plans to address the matter. I got wind of it when a remote worker who is on our professional services team and is responsible for assisting with integration of our company’s software sent me an email with a subject line of “Uh Oh.” I know that this guy doesn’t easily panic, so this couldn’t be good news.

It wasn’t. His files had been locked up by ransomware.

We’ve had discussions in the company about what to do in cases of users’ documents being encrypted and held hostage by cyber crooks. The CFO and several vice presidents are adamantly opposed to paying ransom. I am of the same mind. I don’t want to pay money (this particular extortion was demanding 1.5 Bitcoins, or about $900 at current rates) for access to our own documents. And any company that pays a ransom is at the mercy of other hackers who find out that it will play along.

Besides, there should never be a need to pay such ransoms. Frequent backups should allow you to restore any documents as they existed not long before they were encrypted.

But if your employees have found they have little need to connect to the corporate network in the daily course of doing their jobs and connecting to the network is the only way they are going to have their files backed up, you’re in trouble. So, yes, we’re in trouble.

A big part of the problem is that users don’t perceive that they are bypassing backups. Even people who work intensely with software, such as the victim in this case, don’t always see the danger. He was under the impression that his data was being backed up. But when I checked in with the IT department, I learned that the last time his PC had been backed up was in June 2016, more than three months ago. Our antivirus and Windows Server Update Services management consoles told a similar story: This PC has not been patched lately, and the last time it was connected to our antivirus console was more than three months ago, when the user visited the office for a company meeting. More and more, this is typical; we have several other employees who haven’t connected in more than six months.

This particular ransomware tale diverges into two separate storylines. One involves all that I am doing to determine just how the PC was victimized. I got as much information as I could from the user. The problem arose after he was prompted to reboot. At the time, he had been logged into our company’s performance management tool, entering his objectives for the next quarter. He figured the reboot was related to a patch installation and went ahead. Other lines of inquiry — What else had he been doing? Was another browser window open to a suspicious website? Had he downloaded any programs recently? Did he let others use his computer? — didn’t turn up anything suspicious. I spent some time reviewing his archived email to see if I could find some sort of phishing missive with a malicious link. Nothing. So far, I haven’t turned up a smoking gun, so a forensic examination of the PC will be necessary.

I had the user ship it to me, and I am exploring forensic examination options. Lacking the budget for sophisticated forensics software or analysts, I’ll make a mirror image of the drive and attempt to dissect it myself with some open-source tools. If I’m not successful, I’ll consider hiring a third party.

The other path is to take advantage of this event to get funding for new tools that will safeguard us from a recurrence. From my perspective, it’s helpful that the user lost some critical project plans and data that he was using to implement our software for some strategic customers. (I know the user will have a harder time seeing the silver lining.) We could end up with a new antivirus solution, with ransomware detection, and new backup and systems management solutions, all cloud-based.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

More about Click

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place