Ransomware hits admin workstation and kills 7 servers
-
I wanted to share a horror story with you, something that happened to somebody the day before yesterday. This is what happened in their own words:
"We are a 250 employee non-profit and we heavily rely on our computer systems in almost everything we do. Yesterday, one of our admin workstations was hit with CryptoWall Version 2.0, and because this workstation had drives mapped to all our servers, and the administrator had permissions, all our seven servers were encrypted and we were dead in the water.
CryptoWall took just 55 minutes to encrypt 75 Gigs of information, and it had penetrated most of our network before we found out what was happening, isolate the workstation and get it disconnected from the network. We had backups of the seven servers but it would take days to restore those, so we opted to find out if we could decrypt the files first.
Luckily we had just signed up for KnowBe4βs Kevin Mitnick Security Awareness Training, which came with a crypto-ransom guarantee in case something like this would happen. We called them and got instant help with this very urgent problem.
They had bitcoins ready in a wallet and were able to pay the $500 ransom within hours. The CryptoWall criminals were actually also pretty quick, and we were issued our decryption key soon after. We immediately started to decrypt all the files with the provided decryption tool and pulled an all-nighter. It was amazing how long it took to get through all of the data. It finally completed at around 8:30 am. So we estimate about 18 hours of running the decrypt tool on our 75 gigs of data.
So far it only appears that one older database file was corrupted during the encryption, but we restored it from our backup and all is fine. I canβt say enough about KnowBe4βs quick response and support with this situation. We dodged a very big bullet here.
While only a portion of our staff have completed the training, something tells me more will complete the training requirement after this event. Thank you very much!" - Q.M. IT Director
As you can see, ransomware hitting a key employee like an admin or perhaps a CEO, controller, or CFO with a lot of access, can do immense damage.
Having all employees step through security awareness training and sending them simulated phishing attacks, is an essential element of your defense-in-depth!
Warm regards, Stu
-
Cool story. Still, who was stupid enough to get hit with Cryptolocker? Did their AV not pick this up? Did someone ignore the AV warning if it came up?
-
The AV on the workstation was McAfee, but did not block the malware executing when the admin (in a weak moment) clicked on something...
-
@stus said:
The AV on the workstation was McAfee, but did not block the malware executing when the admin (in a weak moment) clicked on something...
Oh this makes me want to laugh so hard! Time to switch to Webroot!
-
@stus I work at McAfee. That's why I find it hysterical!
-
But not supporting their AV.
-
Yes, there is some irony here. LOL
-
Welcome to the Mango Lassi community!
-
@ajstringham said:
Cool story. Still, who was stupid enough to get hit with Cryptolocker? Did their AV not pick this up? Did someone ignore the AV warning if it came up?
Tons of people get hit by Cryptolocker. You have to assume that people will do stupid things in order to think well about security.
-
@StrongBad said:
@ajstringham said:
Cool story. Still, who was stupid enough to get hit with Cryptolocker? Did their AV not pick this up? Did someone ignore the AV warning if it came up?
Tons of people get hit by Cryptolocker. You have to assume that people will do stupid things in order to think well about security.
I know but still, that's a straight-up AV fail.
-
@scottalanmiller thanks Scott !!!
-
@ajstringham said:
@StrongBad said:
@ajstringham said:
Cool story. Still, who was stupid enough to get hit with Cryptolocker? Did their AV not pick this up? Did someone ignore the AV warning if it came up?
Tons of people get hit by Cryptolocker. You have to assume that people will do stupid things in order to think well about security.
I know but still, that's a straight-up AV fail.
AV only protects you if you let it.
-
@StrongBad said:
@ajstringham said:
@StrongBad said:
@ajstringham said:
Cool story. Still, who was stupid enough to get hit with Cryptolocker? Did their AV not pick this up? Did someone ignore the AV warning if it came up?
Tons of people get hit by Cryptolocker. You have to assume that people will do stupid things in order to think well about security.
I know but still, that's a straight-up AV fail.
AV only protects you if you let it.
Yes, but AV is, as a rule, designed to prevent stupidity. IT guys could go without AV on their computers and would still almost never get viruses. Maybe some spyware, etc but almost never a full-blown virus. We know better. End-users are where AV is most important from a protection standpoint. Obviously IT guys have the admin rights but from a preventing it for prevention's sake standpoint, AV is most important for end-users. Obviously McAfee wasn't doing its job...
-
@ajstringham said:
@StrongBad said:
@ajstringham said:
@StrongBad said:
@ajstringham said:
Cool story. Still, who was stupid enough to get hit with Cryptolocker? Did their AV not pick this up? Did someone ignore the AV warning if it came up?
Tons of people get hit by Cryptolocker. You have to assume that people will do stupid things in order to think well about security.
I know but still, that's a straight-up AV fail.
AV only protects you if you let it.
Yes, but AV is, as a rule, designed to prevent stupidity. IT guys could go without AV on their computers and would still almost never get viruses. Maybe some spyware, etc but almost never a full-blown virus. We know better. End-users are where AV is most important from a protection standpoint. Obviously IT guys have the admin rights but from a preventing it for prevention's sake standpoint, AV is most important for end-users. Obviously McAfee wasn't doing its job...
Sadly Steve Gibson, a renown security specialist, has reportedly done this - run with NO AV, and gotten no viruii.
I just don't consider that wise unless you're air gapped.
-
@Dashrender , I'm not saying it's a good idea. We need it because legitimate sites still get hacked and create vulnerabilities for us where there aren't normally ones. Still, most IT guys would be fine 98% of the time without any AV on their systems.
-
@ajstringham said:
@Dashrender , I'm not saying it's a good idea. We need it because legitimate sites still get hacked and create vulnerabilities for us where there aren't normally ones. Still, most IT guys would be fine 98% of the time without any AV on their systems.
LOL - considering another discussion - Programmers would not be covered by this 98%.. lol
-
@Dashrender said:
@ajstringham said:
@Dashrender , I'm not saying it's a good idea. We need it because legitimate sites still get hacked and create vulnerabilities for us where there aren't normally ones. Still, most IT guys would be fine 98% of the time without any AV on their systems.
LOL - considering another discussion - Programmers would not be covered by this 98%.. lol
Lol I suppose that would be true
-
@ajstringham said:
Yes, but AV is, as a rule, designed to prevent stupidity.
Not at all, let alone as a rule. That is not what AV is. I think you are confusing it with best practices. -
@Dashrender said:
Sadly Steve Gibson, a renown security specialist, has reportedly done this - run with NO AV, and gotten no viruii.
I just don't consider that wise unless you're air gapped.
Sure, you can. You can also not use passwords or always run as the admin. There are all kinds of things that you might get away with. Security is about layers. You can run servers without backups too and you might never lose a thing. But we all know that it is risky. But if you roll the dice, sometimes you make a critical hit no matter how unlikely it is.
And Steve Gibson only doesn't think he has a virus. He doesn't actually know.
-
@ajstringham said:
@Dashrender , I'm not saying it's a good idea. We need it because legitimate sites still get hacked and create vulnerabilities for us where there aren't normally ones. Still, most IT guys would be fine 98% of the time without any AV on their systems.
I've not met these IT guys. I don't think that that is a realistic statement at all. I'd say saying 2% would be fine would be a stretch. Most IT people I see run as admin and are pretty reckless with security.
