“Elli” from our accounting department was trying to go home. Traffic was starting to build and a 45-minute trip home would become a 90-minute trip shortly. Her Windows 10 PC chimed: she had an email. “Last one,” she uttered as she quickly opened the message. It appeared to be a voicemail file from a caller at Quickbooks, our accounting software. “What do they want?” She double-clicked on the attached file and her PC was “toast”, she just didn’t know it yet.
Instead of a voicemail from Quickbooks, what Elli had unwittingly done was unleash a ransomware infection on her system. While she finished up packing her stuff to go home, one by one the data files on her PC were being encrypted making them unreadable to her or to anyone else.
When she glanced back at her computer she noticed something odd: the background picture, the one of her daughters, was gone. It was replaced by a generic image of a field of flowers. Weird. She opened up a folder she kept on her desktop. Here’s what she expected to see:
Here’s what she actually saw:
She couldn’t comprehend what she was seeing. Who could? She called over to our CTO, Brian, to have him take a look at this weirdness. He grabbed the keyboard and started typing. In between the expletives he asked her what she had done on the computer recently. She pointed to the email open in the corner of the screen. Brian asked if she opened the attachment. As she nodded yes, Brian pulled the network cable from the PC, then shut off the Wi-Fi switch, disconnected her external drive, and turned off her computer. “Your PC,” he said, “is infected with ransomware.”
We removed Elli’s infected drive put it in a sandbox where we were able to let it finish its “work”. Once the process was done we accessed the system and besides folder after folder of unintelligible files there were “help” files, put there by the ransomware once as it processed the files in a given folder. Here’s one of them:
Cryptowall Ransomware “Help” Message
Ransomware is malware that infects your computer, encrypts some or all of your data, and then holds it hostage until you pay a ransom to get your files decrypted. Last year we looked at Cryptowall, a form of ransomware. In that blog post we looked at the history and future of ransomware and predicted, sadly, we’d see more attacks. Here are a few recent examples:
- Hollywood Presbyterian Hospital: Paid $17,000, “It was the easy choice. I wouldn’t say it was the right choice.”
- Community of Christ Church in Hillsboro: Paid $570, “…the only thing we could do was to pay the ransom.”
- Europe, the Middle East, Africa and Australia: The security company Trend Micro has labeled the recent attacks a Global Threat as ransomware has invaded these regions with a vengeance.
- Mac Computers: Ransomware has now made its way to Apple’s Macintosh, with the first known infection being reported this past week. In this case, it took a fair amount of skullduggery to get past the Apple security protocols. At the center of the attack was a software vendor that was hacked and their software infected with ransomware. The infected software was then available to be downloaded by unsuspecting Mac computer users.
Elli gets her data back
Elli did not pay the ransom. Instead she recovered her data files from her Backblaze backup. Her last backup was just before she downloaded the ZIP file that contained the ransomware, so it was easy to recover all her data and get up and running.
Different versions of ransomware can make the data recovery process a bit more challenging, for example:
- Some ransomware attacks have been known to delay their start, instead waiting a period of time or until a specific date before unleashing the downloaded malware and starting the encryption process. In that case you’ll need to be able to roll back the clock on your backup to a date before the infection so you can recover your files.
- Other ransomware attacks will attempt to also encrypt connected accessible drives, including for example your local backup drive. For this reason following the 3-2-1 backup strategy of having both an onsite and offsite backup of your data is the best prevention against data loss if ransomware strikes.
All of this could have been avoided had Elli not been fooled by the email and downloaded the file. As is often the case with ransomware attacks, the miscreants used social engineering to get past Elli’s defenses. Social engineering can be defined as the “psychological manipulation of people into performing actions or divulging confidential information.” In Elli’s case there were several tricks:
- The “to address” on the email contained Elli’s full name.
- It is normal for our office to get emails with attachments from the voicemail system.
- It is normal for our office to get messages from Quickbooks.
It’s hard to know if Elli was just one of millions of people who received this email or as is more likely, Elli was the victim of a targeted attack. Such targeted attacks, also known as spear phishing, require that the sender learn about the target so that email message appears more authentic. For most of us finding the information needed to create a credible socially engineered email is as easy as perusing the company web site and then doing a little research on social sites like Facebook, LinkedIn, Google+, and so on.
Lessons learned by “Elli”
It is easy to blame Elli for letting her system get infected with ransomware, but there were multiple failures here. She was using a browser to access her cloud-based email. The email system didn’t block the email that contained the malware. Neither the browser nor the email system she was using caught the fact that the attached ZIP file contained an executable file as she was able to download the file without incident. Finally, the anti-virus software on her PC didn’t detect anything when she downloaded and then unzipped the malware file. No pop-ups, no notifications, nothing; she was on her own and in a moment of weakness she made a mistake. As embarrassing as it is, she let us tell her story so maybe someone else won’t make the same mistake. Thanks Elli.
Some of you may be wondering about the data we store for our customers. The systems and networks of our business operations and our production operations are independent, with separate access and credentials for each. While having an employee’s computer compromised by ransomware was horribly inconvenient for the employee, Backblaze’s core systems were never at risk.