Just a couple of months ago, I discussed two of my current challenges: securing a remote workforce when most of the applications that folks use are cloud-based software as a service (SaaS), and having employees who, thanks to those SaaS apps, have no reason to connect to the corporate network and therefore rarely access the IT infrastructure.
Well, this week, a situation arose that could expedite plans to address the matter. I got wind of it when a remote worker who is on our professional services team and is responsible for assisting with integration of our company’s software sent me an email with a subject line of “Uh Oh.” I know that this guy doesn’t easily panic, so this couldn’t be good news.
It wasn’t. His files had been locked up by ransomware.
We’ve had discussions in the company about what to do in cases of users’ documents being encrypted and held hostage by cyber crooks. The CFO and several vice presidents are adamantly opposed to paying ransom. I am of the same mind. I don’t want to pay money (this particular extortion was demanding 1.5 Bitcoins, or about $900 at current rates) for access to our own documents. And any company that pays a ransom is at the mercy of other hackers who find out that it will play along.
Besides, there should never be a need to pay such ransoms. Frequent backups should allow you to restore any documents as they existed not long before they were encrypted.
But if your employees have found they have little need to connect to the corporate network in the daily course of doing their jobs and connecting to the network is the only way they are going to have their files backed up, you’re in trouble. So, yes, we’re in trouble.
A big part of the problem is that users don’t perceive that they are bypassing backups. Even people who work intensely with software, such as the victim in this case, don’t always see the danger. He was under the impression that his data was being backed up. But when I checked in with the IT department, I learned that the last time his PC had been backed up was in June 2016, more than three months ago. Our antivirus and Windows Server Update Services management consoles told a similar story: This PC has not been patched lately, and the last time it was connected to our antivirus console was more than three months ago, when the user visited the office for a company meeting. More and more, this is typical; we have several other employees who haven’t connected in more than six months.
This particular ransomware tale diverges into two separate storylines. One involves all that I am doing to determine just how the PC was victimized. I got as much information as I could from the user. The problem arose after he was prompted to reboot. At the time, he had been logged into our company’s performance management tool, entering his objectives for the next quarter. He figured the reboot was related to a patch installation and went ahead. Other lines of inquiry — What else had he been doing? Was another browser window open to a suspicious website? Had he downloaded any programs recently? Did he let others use his computer? — didn’t turn up anything suspicious. I spent some time reviewing his archived email to see if I could find some sort of phishing missive with a malicious link. Nothing. So far, I haven’t turned up a smoking gun, so a forensic examination of the PC will be necessary.
I had the user ship it to me, and I am exploring forensic examination options. Lacking the budget for sophisticated forensics software or analysts, I’ll make a mirror image of the drive and attempt to dissect it myself with some open-source tools. If I’m not successful, I’ll consider hiring a third party.
The other path is to take advantage of this event to get funding for new tools that will safeguard us from a recurrence. From my perspective, it’s helpful that the user lost some critical project plans and data that he was using to implement our software for some strategic customers. (I know the user will have a harder time seeing the silver lining.) We could end up with a new antivirus solution, with ransomware detection, and new backup and systems management solutions, all cloud-based.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Click here for more security articles.