The silver lining on a ransomware attack

Ransomware is bad news, but it can also be a powerful motivator for companies to up their game when it comes to defending against cyber threats

I wouldn’t wish a ransomware attack on anyone. A particularly destructive form of malware, ransomware has made a name for itself this year as one of the internet’s top threats. A recent survey revealed that half of companies had responded to a ransomware attack, with 85 percent reporting three or more. If it locks down your personal computer, it’s a royal pain. But if it gets onto a network drive at your work, that pain is multiplied by the number of employees and more.

Systematically locking down every computer on the network, ransomware puts your entire workforce out of work and sends your IT guys to the mats trying to find the money to pay the ransom or the backups to bring the network back online. Long story short: Ransomware is bad news!

Ransomware attack: A cautionary tale

However, I talked to a friend the other day who convinced me that there may be a silver lining around the dark cloud that is ransomware.

Jim is the IT director at a small cyber consulting company outside Denver. They’ve got about 150 employees and are growing rapidly as they bask in the hot tech market. He and his one full-time employee, Jennie, are plenty busy staying ahead of the growing network infrastructure, let alone trying to keep up with best practices on network protections. Jim jokes that every time he turns around he’s adding another employee to the network.

Last Tuesday, Jim’s worst nightmare began to unfold. As employees starting arriving at work and checking their inboxes, an email from a sales guy caught his eye:

“Are you trying to phish me?” it asked. “That’s a good one.”

It was a good one, Jim noted as he opened it in a safe sandbox environment: “Be sure you update your end-of-month numbers in the attached spreadsheet,” read the email, which was signed “Accounts Receivable.”

As Jim prepared to examine the file, another sales guy pinged him: “What’s up with the Sales drive? Some of the files are locked.”

With a knot starting to turn in his stomach, Jim bounced out to the Sales drive and could see that file after file was being encrypted before his very eyes. Somehow malware had gotten onto the network drive and was systematically locking every file.

Jim and Jennie knew they needed to act quickly: They immediately took the Sales drive offline, hoping that the malware had been contained to this one drive and hadn’t spread to other essential systems (or everyone’s personal computers). From there, they isolated other drives and enlisted the help of several trusted team members to fan out throughout the company, showing everyone how to pull their network cable and disconnect from the Wi-Fi. Within a matter of 10 minutes—remember, it’s a small company—all systems were isolated.

To everyone’s immense relief, the recovery went smoothly. The malware—it turned out to be a form of ransomware called “Zepto”—had been contained to a single computer (more on this soon) and the Sales drive. Since all systems had been backed up in the wee hours of that morning, it was simple to recover the systems, run a full network scan, and get everyone back to work.

All in all, total loss of all-hands productivity was about an hour. Perhaps best of all: There was no ransom to be paid.

Lessons learned from ransomware attack

But boy, were there lessons to be learned! For Jim and Jennie in IT, the incident served mostly as confirmation of procedures they already had in place. Their backup and recovery plans worked like clockwork, and their ability to isolate systems confirmed the work they had done to build a secure infrastructure.

For Stacy, the new business development rep who had welcomed the ransomware onto her system, it was a scary second day of work. While everyone else in the company recognized the email was a scam, Stacy didn’t have the context to recognize it as such. So, she didn’t react rapidly when she opened the attachment and found a corrupted file. She just closed it and went back to work, which allowed the ransomware to move across the network to the first shared drive it found. She was really embarrassed and scared when IT found out it was her computer that opened the door for the attack. Suffice to say, she’ll be more careful in the future.

Unintended results from the attack

As I listened to Jim tell the story, it dawned on me, however, that the real winners in this whole episode were company management and the overall employee population. Management started arriving as the lockdown was underway, and they got to see their IT team functioning at a high level.

In an all-hands meeting later that day, the company CISO shared the dramatic story of how they managed to avoid a catastrophic infection thanks to employees who reported their concerns and an IT team that had prepared properly and acted quickly in the face of the attack. Employees got to see firsthand the dangers of not paying attention to phishing attacks and recognize the real business benefits of IT’s security precautions.

As a guy who spends a lot of time looking for ways to engage all employees in understanding threats to security and privacy, I was delighted with the results from this episode:

  • Management stood behind IT and recommitted themselves to a more extensive security education program.
  • IT got to experience the results of their strong preparation (and picked up some accolades along the way).
  • Employees across the company engaged in substantive conversations about the things they could do to protect the company.

What could have been a costly incident instead turned into a powerful motivator for all in the company to up their game when it comes to defending against cyber threats. How’s that for the power of unintended consequences?

Copyright © 2016 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline