6 minute read
Ransomware: Reality and Defeat
by ASCPA
By Rob Samuelsen
My heart rate hastened, and a bead of sweat appeared on my forehead after I opened up my computer on the morning of April 30, 2020. Nothing appeared normal. My desktop icons were broken links and rearranged on the display. Most of our employees were working from home on COVID protocol, and the only reason I was in the office was to run checks. Then I saw a readme text file, opened it and raced downstairs to our IT manager’s office.
Advertisement
A29812-Readme.txt
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .a29812
If for some reason you read this text before the encryption ended. This can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery.
Our encryption algorithms are very strong, and your files are very well protected. The only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypter program. You may damage them, and then they will be impossible to recover.
For us this is just business and to prove to you our seriousness. We will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free.
Our IT manager was getting texts from our remote workers and struggling with the same broken links I encountered. I showed him the readme file, and we immediately started turning off every computer in our office including servers, desktop computers, print servers, controllers and the IP-based phone system. After helping him, I returned to my office and called our bank to shut down our accounts.
By the end of the day, I had talked to my bank, ADP online payroll provider, insurance broker, executive director, human resources director, every employee and the FBI. For the next six weeks, our IT infrastructure included home computers and cell phones. Everything else was dead. We had been breached by Netwalker, a ransomware threat actor from halfway around the world!
On the next day, with the support of our cyber-insurance provider, we
built an expert team of cyberattack consultants. We learned that the bad guys infiltrated our network on January 1, 2020, snooped around our computer systems at least 20 times, sold our vulnerability to a Netwalker extortionist and set the time bomb on our servers. At about 12:20 a.m. on that fateful morning, a piece of aggressive code started to spread like metastasized cancer, encrypting every file in our IT ecosystem, including Microsoft Office files, executable files, system files, database files, custom code files and more. It spread through our office onto our employees’ home computers, Dropbox, OneDrive and remote backup servers. The only thing that saved us was our quick action in shutting down everything, leaving only about half our IT infrastructure infected.
My immediate supposition was that we were attacked through one of the open ports of our quarantined workforce. We had no idea what was on their home computers or how those computers were being used. Did they have anti-virus software, the latest operating software or two-step authentication? Did they protect against phishing, spoofing, Denial of Service attacks, malware or other attacks? I was feeling very vulnerable!
Ultimately, we learned that the threat actor entered our domain through an old version of Telerik, a user-interface development tool that we no longer licensed but still used. Our bad guy entered through a known worm hole and dropped the bomb on us.
Netwalker was developed by Russian programmers in 2019 to be highly secure, highly automated and ultimately set up for Ransomware as a Service. For $50 a month, you could rent the code on the dark web and inflict havoc on unsuspecting victims. We believe our threat actor was an unsophisticated renter because he reduced the ransom once and gave us three extensions through the efforts of our savvy dark web negotiator.
There are many eyes on the world wide web that would prohibit deviant behavior, such as the FBI and the IRS. There are also many deceitful eyes that want to do commerce without governmental oversight who have created a nefarious version of the world wide web called the dark web. In fact, the dark web is 50% larger than the worldwide web.
Because of its unique architecture and tools, the transactions are virtually untraceable. It’s in this environment that the hacker sold our vulnerability to the extortionist who licensed the software from the Russian ransomist to attack us with a bitcoin demand.
There are two responses to a ransomware attack.
1. Pay the ransom and hope for an honest criminal.
2. Try to restore everything manually piece by piece.
The insurance provider holds the key to this decision because of the economics. However, it’s not a binary decision. Even in the bestcase scenario, if you pay the ransom to the threat actor and that threat actor provides a valid decryption key, not all files or computers will be recoverable. We lost about 1/5 of our hardware because of permanent damage to their file systems and had to buy new computers. Some files just weren’t recoverable. In our case, the insurance company worked with us as we slowly isolated and restored everything.
We are back in full operation. Backups mostly worked, email was not infected, and we only lost a few critical files. We’ve rearchitected our IT system to be more secure, implemented new security protocols, purchased new computers, licensed or deleted all software used by our organization and installed more robust detection software. We continue with robust employee education, and we continue to carry cyber-insurance (albeit more expensive). We have some battle scars after our fight with the dark web, but we’re more enlightened and significantly more wise. l
Robert Samuelsen joined the Pima Association of Governments and Regional Transportation Authority in 2008 after a private sector career. Vocationally, he has worked in corporate accounting, corporate finance, product management and strategic planning. He has also served on many boards, both for commercial enterprises and not-for-profits. Samuelsen has a Master of Business Administration from Indiana University with a double concentration in banking and finance. He will be speaking at the ASCPA Not-For-Profit Conference on June 24, 2022.
