Just a couple of months ago, I discussed two of my current challenges: securing a remote workforce when most of the applications that folks use are cloud-based software as a service (SaaS), and having employees who, thanks to those SaaS apps, have no reason to connect to the corporate network and therefore rarely access the IT infrastructure.Trouble TicketAt issue: A user who hasn\u2019t backed up his PC in months just saw his documents get encrypted by ransomware.Action plan: Find out how it happened, but more importantly, use this event as leverage to address an ongoing problem.Well, this week, a situation arose that could expedite plans to address the matter. I got wind of it when a remote worker who is on our professional services team and is responsible for assisting with integration of our company\u2019s software sent me an email with a subject line of \u201cUh Oh.\u201d I know that this guy doesn\u2019t easily panic, so this couldn\u2019t be good news.It wasn\u2019t. His files had been locked up by ransomware.We\u2019ve had discussions in the company about what to do in cases of users\u2019 documents being encrypted and held hostage by cyber crooks. The CFO and several vice presidents are adamantly opposed to paying ransom. I am of the same mind. I don\u2019t want to pay money (this particular extortion was demanding 1.5 Bitcoins, or about $900 at current rates) for access to our own documents. And any company that pays a ransom is at the mercy of other hackers who find out that it will play along.Besides, there should never be a need to pay such ransoms. Frequent backups should allow you to restore any documents as they existed not long before they were encrypted.But if your employees have found they have little need to connect to the corporate network in the daily course of doing their jobs and connecting to the network is the only way they are going to have their files backed up, you\u2019re in trouble. So, yes, we\u2019re in trouble.A big part of the problem is that users don\u2019t perceive that they are bypassing backups. Even people who work intensely with software, such as the victim in this case, don\u2019t always see the danger. He was under the impression that his data was being backed up. But when I checked in with the IT department, I learned that the last time his PC had been backed up was in June 2016, more than three months ago. Our antivirus and Windows Server Update Services management consoles told a similar story: This PC has not been patched lately, and the last time it was connected to our antivirus console was more than three months ago, when the user visited the office for a company meeting. More and more, this is typical; we have several other employees who haven\u2019t connected in more than six months.This particular ransomware tale diverges into two separate storylines. One involves all that I am doing to determine just how the PC was victimized. I got as much information as I could from the user. The problem arose after he was prompted to reboot. At the time, he had been logged into our company\u2019s performance management tool, entering his objectives for the next quarter. He figured the reboot was related to a patch installation and went ahead. Other lines of inquiry \u2014 What else had he been doing? Was another browser window open to a suspicious website? Had he downloaded any programs recently? Did he let others use his computer? \u2014 didn\u2019t turn up anything suspicious. I spent some time reviewing his archived email to see if I could find some sort of phishing missive with a malicious link. Nothing. So far, I haven\u2019t turned up a smoking gun, so a forensic examination of the PC will be necessary.I had the user ship it to me, and I am exploring forensic examination options. Lacking the budget for sophisticated forensics software or analysts, I\u2019ll make a mirror image of the drive and attempt to dissect it myself with some open-source tools. If I\u2019m not successful, I\u2019ll consider hiring a third party.The other path is to take advantage of this event to get funding for new tools that will safeguard us from a recurrence. From my perspective, it\u2019s helpful that the user lost some critical project plans and data that he was using to implement our software for some strategic customers. (I know the user will have a harder time seeing the silver lining.) We could end up with a new antivirus solution, with ransomware detection, and new backup and systems management solutions, all cloud-based.This week's journal is written by a real security manager,\u00a0"Mathias Thurman,"\u00a0whose name and employer have been disguised for obvious reasons. Contact him at\email@example.com.Click\u00a0here\u00a0for more security articles.