SEELEY LAKE – “Your files have been encrypted,” were the words on a black screen for the file servers at Pyramid Mountain Lumber March 15. Pyramid’s entire network fell victim to the ransomware attack. Not willing to deal with criminals, they started rebuilding the three network servers and three workstations from scratch. It could take up to three months to get all the systems running like they were before the attack. However, all the historical records are lost.
Pyramid’s Network Administrator Mark Meissner is a Microsoft Certified system engineer. He took on Pyramid’s computer systems “because I have an affinity for it. As a certified system engineer I know a lot about networks, I know a lot of things about how to make various systems talk to each other and I know a lot of things about network protocols. However, I’m not a security expert. ”
About a week before the attack during his regular morning check of the system, Meissner noticed some files were completely missing and there was new software installed. Since he is the only one who deals with programming, Meissner uninstalled the pieces of software and replaced the files that were missing.
The next day was a similar situation so Meissner enlisted Microsoft. They came to no real conclusions for the anomaly.
“I started the laborious task of creating disk images so that I would be prepared for the day of some eventual attack,” said Meissner. “I also started to lock down our firewalls and close external connections.”
Thursday morning everything was working fine. Meissner got a call from the mill that one of the computers wasn’t working properly. Around the same time someone in the office said that their computer rebooted by itself.
“When the computer rebooted, there was a black screen that said, ‘Your Files are Encrypted.’ It gave me an email address to contact and it was waiting for a password to be entered. I basically panicked,” said Meissner. “I immediately ran down to the server where backups were running and the same thing was happening to all three servers.”
Three servers, the domain controller, the maintenance database and the financial server, as well as three machines that were left on overnight were compromised. Pyramid lost their entire payroll program, all the history, all accounts payable, sales and accounts receivable and all of their email that was backed up to the server.
The server that runs their log program, the machine centers and the rest of the nearly 30 workstations that were powered off overnight were not affected. This is because they are either not connected to Pyramid’s domain or they were not connected to the server during the attack.
“Suddenly my backups [that were saved on the server] were of no value,” said Meissner.
* * * * *
Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.
Meissner explained that there are several types of ransomware. The type that attacked Pyramid encrypted the drives, the file allocation table and the master boot record. The system would not start and the drives were not visible.
“Without the decryption key we were not going to be able to restore those files and frankly, I don’t know that their decryption key would have worked. We opted not to take that risk,” said Meissner.
“We don’t know where it came from and we weren’t going to deal with the devil and find out how much,” said Pyramid’s Chief Operations Officer Loren Rose who said all he knew was the ransom was to be paid in bitcoin, untraceable currency. “Dealing with a criminal just goes totally against our grain.”
Meissner said that more than 99 percent of the time, the virus infects the system by attaching to an email. When someone opens the attachment, it gives the perpetrators “command and control.” The perpetrators can control the machine they are on and if it is connected to a server, like in Pyramid’s case, they not only have access to the servers but can install malicious code.
Meissner said that even though he locked down the firewall, they were already in the system so it made no difference.
Two days prior to Pyramid’s attack, one of their vendors also had a similar attack with the same piece of ransomware. It is suspected that an employee opened an attachment from the vendor. Once the attachment was opened Meissner said, “the seeds of doom were sown.”
“If you aren’t expecting an attachment from someone, in other words you haven’t called and requested [something], then don’t open the attachment,” said Meissner. “You call the sender and verify that they in fact sent you something and ask what it is.”
Rose said there has been no indication that the files or employee information were compromised.
“These people aren’t interested in information, they just want to shut you down, deal with one source and get paid,” said Rose. “However, was any information breached? We don’t know. We’ve alerted all of our employees.”
Rose said they reported the attack to the Missoula County Sheriff’s Office in case there is a liability later. However, Pyramid doesn’t suspect anyone internal.
Meissner said that it is possible that Pyramid’s address book could have been accessed and malicious attachments sent from email accounts.
“Your best defense is to call [whomever sent the email] and ask if they sent an attachment [prior to opening it],” said Meissner. If they didn’t, delete the email.
Meissner has replaced all the drives in the servers and rebuilt them from scratch. On the three work stations that were compromised, he will strip the drives and replace the drives. On all the other computers, they were disconnected from the network and scanned with software to detect any infection. So far, Meissner has not found any sign of the virus in the machines that were powered down during the attack.
“If the software I employ to detect this tells me that it is there, I’m going to treat it as an infected machine, strip the drive out and start over. I’m not going to take any chance that this infection will spread again,” said Meissner.
While Rose has no idea what the attack will cost, he estimates in the end Pyramid will pay tens of thousands of dollars.
“It’s a terribly devastating attack on a business like Pyramid,” said Meissner.
While Meissner is not a security expert, he has learned four big lessons working through this attack.
First he recommends that anyone using computers, whether it be at work or home, needs to understand that email attachments should not be opened without verifying that the person who sent the email sent the attachment.
User training in the work place can help mitigate this. Blocking attachments is another option. Some businesses have set up a Dropbox on the virtual cloud to exchanges files.
Second, Meissner recommends making frequent backups and having a backup that is not connected to the network. For businesses, this includes system images which can help rebuild the server from scratch.
Third, add layers to standard anti-virus and anti-malware software on the servers and workstations that will protect the system from a ransomware attack.
Finally, make sure if firewalls are used, they can detect a ransomware attack.
“This type of attack is just as likely to hit a home as it is a business,” said Meissner. “It all comes down to someone opening an attachment in an email that they shouldn’t. The biggest control is the guy behind the keyboard.”
“The bottom line is the criminal element. They are getting smarter and smarter,” said Rose. “Really you need to back up daily or weekly and get it off the machine.”
Reader Comments(0)