Ransomware Visits Backblaze

March 11th, 2016

Ransomware

“Elli” from our accounting department was trying to go home. Traffic was starting to build and a 45-minute trip home would become a 90-minute trip shortly. Her Windows 10 PC chimed: she had an email. “Last one,” she uttered as she quickly opened the message. It appeared to be a voicemail file from a caller at Quickbooks, our accounting software. “What do they want?” She double-clicked on the attached file and her PC was “toast”, she just didn’t know it yet.

Instead of a voicemail from Quickbooks, what Elli had unwittingly done was unleash a ransomware infection on her system. While she finished up packing her stuff to go home, one by one the data files on her PC were being encrypted making them unreadable to her or to anyone else.

When she glanced back at her computer she noticed something odd: the background picture, the one of her daughters, was gone. It was replaced by a generic image of a field of flowers. Weird. She opened up a folder she kept on her desktop. Here’s what she expected to see:

Clean PC

Here’s what she actually saw:

Infected PC

She couldn’t comprehend what she was seeing. Who could? She called over to our CTO, Brian, to have him take a look at this weirdness. He grabbed the keyboard and started typing. In between the expletives he asked her what she had done on the computer recently. She pointed to the email open in the corner of the screen. Brian asked if she opened the attachment. As she nodded yes, Brian pulled the network cable from the PC, then shut off the Wi-Fi switch, disconnected her external drive, and turned off her computer. “Your PC,” he said, “is infected with ransomware.”

We removed Elli’s infected drive put it in a sandbox where we were able to let it finish its “work”. Once the process was done we accessed the system and besides folder after folder of unintelligible files there were “help” files, put there by the ransomware once as it processed the files in a given folder. Here’s one of them:

Cryptowall Ransomware “Help” Message

cryptowall ransomware help file

Ransomware

Ransomware is malware that infects your computer, encrypts some or all of your data, and then holds it hostage until you pay a ransom to get your files decrypted. Last year we looked at Cryptowall, a form of ransomware. In that blog post we looked at the history and future of ransomware and predicted, sadly, we’d see more attacks. Here are a few recent examples:

  • Hollywood Presbyterian Hospital: Paid $17,000, “It was the easy choice. I wouldn’t say it was the right choice.”
  • Community of Christ Church in Hillsboro: Paid $570, “…the only thing we could do was to pay the ransom.”
  • Europe, the Middle East, Africa and Australia: The security company Trend Micro has labeled the recent attacks a Global Threat as ransomware has invaded these regions with a vengeance.
  • Mac Computers: Ransomware has now made its way to Apple’s Macintosh, with the first known infection being reported this past week. In this case, it took a fair amount of skullduggery to get past the Apple security protocols. At the center of the attack was a software vendor that was hacked and their software infected with ransomware. The infected software was then available to be downloaded by unsuspecting Mac computer users.

Elli gets her data back

Elli did not pay the ransom. Instead she recovered her data files from her Backblaze backup. Her last backup was just before she downloaded the ZIP file that contained the ransomware, so it was easy to recover all her data and get up and running.

Different versions of ransomware can make the data recovery process a bit more challenging, for example:

  • Some ransomware attacks have been known to delay their start, instead waiting a period of time or until a specific date before unleashing the downloaded malware and starting the encryption process. In that case you’ll need to be able to roll back the clock on your backup to a date before the infection so you can recover your files.
  • Other ransomware attacks will attempt to also encrypt connected accessible drives, including for example your local backup drive. For this reason following the 3-2-1 backup strategy of having both an onsite and offsite backup of your data is the best prevention against data loss if ransomware strikes.

Social engineering

All of this could have been avoided had Elli not been fooled by the email and downloaded the file. As is often the case with ransomware attacks, the miscreants used social engineering to get past Elli’s defenses. Social engineering can be defined as the “psychological manipulation of people into performing actions or divulging confidential information.” In Elli’s case there were several tricks:

  • The “to address” on the email contained Elli’s full name.
  • It is normal for our office to get emails with attachments from the voicemail system.
  • It is normal for our office to get messages from Quickbooks.

It’s hard to know if Elli was just one of millions of people who received this email or as is more likely, Elli was the victim of a targeted attack. Such targeted attacks, also known as spear phishing, require that the sender learn about the target so that email message appears more authentic. For most of us finding the information needed to create a credible socially engineered email is as easy as perusing the company web site and then doing a little research on social sites like Facebook, LinkedIn, Google+, and so on.

Lessons learned by “Elli”

It is easy to blame Elli for letting her system get infected with ransomware, but there were multiple failures here. She was using a browser to access her cloud-based email. The email system didn’t block the email that contained the malware. Neither the browser nor the email system she was using caught the fact that the attached ZIP file contained an executable file as she was able to download the file without incident. Finally, the anti-virus software on her PC didn’t detect anything when she downloaded and then unzipped the malware file. No pop-ups, no notifications, nothing; she was on her own and in a moment of weakness she made a mistake. As embarrassing as it is, she let us tell her story so maybe someone else won’t make the same mistake. Thanks Elli.

Epilogue

Some of you may be wondering about the data we store for our customers. The systems and networks of our business operations and our production operations are independent, with separate access and credentials for each. While having an employee’s computer compromised by ransomware was horribly inconvenient for the employee, Backblaze’s core systems were never at risk.

Andy Klein

Andy Klein

Andy has 20+ years experience in technology marketing. He has shared his expertise in computer security and data backup at the Federal Trade Commission, Rootstech, RSA and over 100 other events. His current passion is to get everyone to back up their data before it's too late.
Andy Klein

Latest posts by Andy Klein (see all)

  • Batch Seneca

    Hmmm. Yeah, not sure this is enough protection. In you’re fictitious scenario, the last backup was completed just before the infection, and the user noticed the infection immediately.

    Now let’s compare what happened with my wife (a true story). She gets infected, and somehow doesn’t even *NOTICE* for about 45 days. Don’t ask me how she didn’t notice it. I guess all she was doing was surfing the web. Then one day she tries to open an Excel file that she hasn’t accessed in over a year, it gives her a strange error message, and she asks me to “fix it”. That’s when I figure it out. We did not pay the ransom. We had an offline backup of most of her pictures, and the remaining files we abandoned.

    So how does BackBlaze help in this situation? (We are both BackBlaze users after this happened, BTW). Seems to me BackBlaze would just dutifully backup all the new encrypted files, and since it’s been more than 30 days from the infection, there are no un-infected files left to restore.

    So I’d feel better if there were: 1) Infection detection, 2) Infection notification, 3) At least 2 copies of all files, and 4) An easy way to restore to pre-infection state. This is a serious issue now and I think there’s an opportunity for you to do better. BackBlaze gives some partial protection, but it is not a full solution.

  • MikeL

    If Backblaze is active during/after the encryption occurs and all my newly encrypted files get backed up, does Backblaze have a way to recover “last weeks backup” or “recover all files as-of 2-days ago” kind of thing? (aka versioning).

    Found my answer and it is “yes, up to 30 days back from ‘now’.”
    https://help.backblaze.com/hc/en-us/articles/217665868-Restoring-Deleted-or-Previous-Versions-of-Files

  • sprus o

    I’d really appreciate some specific instructions on exactly how to safely restore from a Backblaze backup after a malware infection. It’s all very well to say the files are stored in Backblaze, but in the meantime I have an infected computer that needs to be wiped in some way (just saying – this has not happened to me, yet ;- ) ). In my case, it’s for a Mac, but I’m sure Windows users would be especially grateful.

    Thanks, Chris

  • Jaze Kerxx

    maybe put your pictures in read only mode and password protect it if something wants to make changes on it… i don’t know if there is a way to do this?

    • Brett Peirce

      the cryptolocker encryption will simply encrypt the password protected file, putting its own password onto it(?) – unless I’m missing something?

  • Jaze Kerxx

    is it possible to prevent encryption by encrypting the files yourself?
    if that doesn’t work, is it possible to disable encryption in windows or password protect it?

    • Zach Skagen

      No, nor does setting files as read-only help either. Exploits are usually run at a system-level, or admin-level. They are only ran user-level in cases where users are limited in their access. Furthermore, even being ran as user-level, the user would have permissions to mark the file as writable, and then encrypt it.

  • Mark4931

    Are there any ways that Backblaze would be able to detect if a customer was infected before it got the whole drive? I am just wondering if you would see higher CPU or read/write cycles trying to serve one customer as the backup was being encrypted.

  • Bitdefender. In my opinion best virus scanner/firewall out there and protects against ransomware. If she’d had it on her computer the files couldn’t have been encrypted in the first place.

  • Derp

    I run a computer shop and we see this happen to the elderly, kids in their teens, and large businesses. All flavors of Anti-Virus, all of them mostly running Malwarebytes. Doesn’t matter what you have for security, these ransom-ware’s change shape almost on a daily basis and the way of infection is truly genius. There are some programs that prevent these things from executing but all that we’ve tried get in the way of normal day to day operation of the computer.

    I’ve been telling most of my customers is if you’re getting an email you don’t recognize, and you have a smart phone, open it with the phone. I understand this isn’t ideal but these ransom-wares haven’t hit the Android/iOS systems YET, so instead of jeopardizing their important files on their computers, they’d be better off going this route.

    What really frustrates me is people actually going through with paying these ransoms. You’re enabling this behavior by doing that, which just breeds more clones. The funny thing about backups is no one needs them until their stuff is gone, then they’re yelling in your face because you can’t recover their documents, photos, etc.

    • NoOne

      You may run’s some computer shop’s, Darp, but you also a moran AND a libtart wiht no clue’s about life or the way thing’s are on the cyber world!

      • Derp

        Hey thanks for following me. Nice to see people are more dedicated to me than practicing proper grammar and spelling. Stay mad friend.

        • NoOne

          The only thing’s that make’s me mad is not needing back up’s until you’re picture’s and document’s is gone, and also libtart’s who think they aint gotta work and they vote multiple time’s for usurper’s like Obummer and Barnie Sander’s!

          • Derp

            Ok, well whatever you say bud. You just do you.

          • NoOne

            No way moran, mastirbation a sin in GOD eye’s. Better for me to do you’re mom

    • Zach Skagen

      I agree! It’s very hard sometimes to convince our clients how essential both onsite and offsite backups are….. Until they are HIT! Then they want to yell at you! Also, Malwarebytes Anti-Malware (MBAM) never boasted to be a good preventative measure against ransomwares and exploits, if you purchased Malwarebytes Endpoint, you received a license to Anti-Exploit (MBAE). Up until recently this was your best bet with the Malwarebytes line of products, MBAM+MBAE. Recently MBAM 3.0 was released which combined these into a single product for the consumer model of MBAM. Its terrible, and consistently has issues. Webroot SecureAnywhere is all we use now.

  • MontyW

    Last month, my father-in-law’s PC was infected with ransom-ware called TeslaCrypt 3.0. It seems he was infected through a customer’s website that had been hacked and a corrupted internal link led to infection through an exploit in an Adobe program that was not fully up-to-date. In my opinion, it could easily happen to 99% of PC users. What version of Adobe Digital Editions are you running? Did you know there there is a critical update released for this recently? (ADE was not the vector in this case.)

    It also encrypted his external back-up that was left plugged in to his PC. His anti-virus was up-to-date but did not detect it. In tests, only 3 AV programs out of 55 detected TeslaCrypt. None of the major vendors.

    22,000 copies of the “help” message were spread though out the PC. Every single folder in the PC had at least 3 copies in different formats.

    After investigation, I wiped his hard drive and re-installed Win7. I had copies of almost all his photos on my PC and he could retrieve all his documents and scans from Hotmail attachments. It took me 35 hours of work (not including downloading from Hotmail).

  • Jesse Kaufman

    Love how transparent BackBlaze is with posts like this. Really appreciate them, since it not only educates, but further reassures me in recommending BackBlaze to everyone I know :)

  • karl

    Excellent write up and with honesty. Appreciated.
    Just out of curiosity, was she the admin of the computer. If not, the data could have been restored with File History because ransomware cannot attack shadow copies (only admins can do that).

  • wmbb

    First thanks. I never thought it can happen as I feel safe with gmail’s attachment virus scan.

    >(…)Some ransomware attacks have been known to delay their start(..)

    If the delay is more than 30 days, using backblaze backup is not helpful ! ;(
    And if you do your external hard drive backup (even if I stored it into another physical location), like me every month, it is also not useful. ;(

    • Not necessarily, it would be 30 days from the moment your computer starts encrypting the files. So once it starts, and you get “notified”, you should restore immediately up through that day!

    • Scotty Edmonds

      I think any reputable antivirus would pick that within that amount of time, at least I hope it would!

  • mizkitty

    I’m guessing “Elli” works in Marketing not Accounting…

    Good story though…anything that makes me think about “off-line” backups is a good thing.

    • Nope, he’s definitely not in Marketing.

  • Jason E Hines

    If proper security was in place this wouldn’t have happened in the first place. What if she hadn’t noticed and it spread outside her computer to the servers with everyone’s backups on it?

    • If you read the last paragraph there, the epilogue, the servers and her computer are on entirely different systems. Backups were never at risk.

      • karl

        Excellent design choice may I add. People think all Malware will be detected by their AntiVirus and AntiMalware apps, but in reality they do get through.

    • Milk Manson

      Backblaze might be crazy, but they aren’t insane.

  • Dan

    Just curious: what anti-virus software are you using? Was it up-to-date?

    • karl

      Doesn’t matter. New ransomware will still get through.

      • Dan

        Not true — when the attachment file downloaded, the antivirus software should scan the file once it is written to disk, and before it is executed, and then quarantine the ramsom-ware file. Also, the mail server should have anti-virus software that blocks it before getting to the client. The only way this would not work is a) anti-virus definitions are not up-to-date, or b) ransom-ware file is so new that is it not in the anti-virus definition database.

        • nah, the recent ransomware can get through our client antivirus (fyi they use Kaspersky and F-Secure)
          the only thing that we can do is backup our data regularly but not daily to prevent the backup infected too.

          • Zach Skagen

            Webroot for the win. And Backblaze continuous backback is a great fallback plan. Webroot does, as everyone else seems to think is impossible, stop zero-day ransomware CryptoLock attacks and is even capable of rolling back the encrypted files to un-encrypted status due to its advanced journaling feature. Zach Skagen, CEO Onyst.IT, 425-728-8924.

        • karl

          Best security advice by far is : assume malware / hacking will happen and mitigate against that. You ARE at risk despite running various malware and anti-virus software.

  • solarbuddy

    Wow, this is *my* nightmare too. It seems that bad guys put as much effort into social engineering as they do other aspects of their operation. This is why I keep telling my staff that their email security is critical. One of these guys who has access to any office email account could easily create a plausible email (supposedly) from one of our clients or colleagues and we wouldn’t hesitate to “click” because of the social factor.

    By the way, we use webroot in the office and can’t be sure that it has blocked cryptolocker attacks, but have some confidence in it.

  • frogstein

    Wouldn’t “Elli” first have had to download the zip file, then double-click the EXE within the ZIP file in order for the malware to infect her computer? AFAIK, ZIP files aren’t executables.

    • Andy Klein

      Correct, she followed the same general set of steps as when she gets a message from the Voice Mail system, download, then double click to listen to the message. When she heard nothing, she assumed it was a hang up. Elli admits she was distracted, but the visual cues noted in the post lowered her malware radar.

  • loxposax

    Why doesn’t the email system scan the contents of zip files and block potentially malicious attachments?

    • Andy Klein

      Many email systems do in fact scan files, but they can miss new malware. That appears to be the case here.

      • loxposax

        Did the attachment come through her personal email or Backblaze email?

        • Andy Klein

          Backblaze Email (The email came via a Backblaze email address.)

          • loxposax

            Thanks. I don’t want to teach you how to suck eggs, but your email system should be scanning zip files and blocking executable attachments such as exe, msi, scr, jar, cmd, bat, js, etc.

            Office attachments are a different kettle of fish, but it is possible to harden the suite against malicious macros.

          • We’ll let google know they should step their game up ;-)

          • loxposax
          • karl

            Well spotted loxposax

  • David Jerde

    If the malware disables the BackBlaze client, I assume that the change would be reported in periodic (weekly?) notices from BackBlaze that the client hadn’t been seen for X days. If I receive this report and know I’m connected, this would be a huge flag.

    My question for BackBlaze.

    I assume you’ve got some big analytics capabilities and could detect when unusual files (updates) begin to queue from the client to your data centers. As a value added service, could you provide an email (other) notice of the suspicious activity to the potentially impacted user?

    • That’s a good suggestion. We don’t currently do that, but we can definitely forward that request to our engineers. Might be something to look in to, but that’s really something that the OS should be looking at and warning the user about. That kind of feature moves us more in to anti-virus territory, but it’s worth at least talking about!