An Austin based real estate firm did everything right but was still attacked with ransomware.

The Challenge

By clicking on a link provided in a phishing email, an employee of an Austin based real estate firm unknowingly granted the necessary permissions to a hacker to enter their system.  The hacker eventually set off a scripted infection that encrypted 80% of their systems within 15 minutes of launching the attack.   

This particularly damaging attack is called an APT, or Advanced Persistent Threat.  This means a hacker gained access to their network and learned a tremendous amount of confidential information while lying in wait, undetected in their system for a long period of time.  These attacks tend to be far more sophisticated and damaging because, with the researched knowledge of the system the hacker gains (which usually includes privileged, administrative access), they are able to launch an automated and scripted attack. 

Our Solution

Once GCS Technologies received an alarm that the firm’s systems were compromised we attempted to respond remotely, but the system was actually offline.  Within 15 minutes, 80% of product servers and 80% of desktops were encrypted.  Once we had our onsite team in place, we began to lock the system down and identify Patient Zero, which was then immediately disconnected from the network.  This enabled us to identify the variant and come up with the best recovery option for this situation. 

The good news here is the real estate firm had a full image-based back up plan in place.  This meant we were able to recover their compromised 10TB of data and rebuild all the effected desktops. 

Results

Even with the full back up in place, the real estate firm suffered from 4 days of near complete downtime.  We were able to get some of the systems back up and running online after 1 day but 10TB is a lot of data to restore and takes time.  Our take away from this, however, is without the full backup the restore would have taken at least twice as long, the downtime would have increased exponentially and potentially all of the encrypted data could have been lost forever.  Remember, just because you pay the ransom does not mean everything will work out accordingly as you are still dealing with criminals. 

Recommendations

You can guard yourself and your business from malware, add anti-virus to every computer on the network and create strong firewalls but, if one internal user clicks on the wrong link in an email, it can allow a hacker in the back door in an instant. 

Obviously, backups are going to be helpful in this situation.  With these full backups in place, downtime can be minimal and manageable.  A few recommendations we have to help prevent a future attack are: 

  • Limit the number of users with privileged or admin access and audit groups that provide these elevated privileges regularly.
    • Examples of these groups include the Administrator’s group (both local and Active Directory) and the Domain Admins, Enterprise Admins, Account Operators, Backup Operators and Print Operators within Active Directory
  • Do not grant elevated privileges to administrator’s main account.  Create distinct admin accounts and do not use them to login to workstations.
  • Rename the default username for any administrator account and avoid using “admin” or similar in the name.  This includes the local administrator account for workstations. 
  • Use unique username and passwords for the administrator accounts network devices such as switches, firewalls, wireless access points, printers and backup appliances.  This way if one account is compromised the impact is limited.
  • Enable local firewalls on all computers and only allow required communication. 
  • Apply software updates regularly and automatically on end user devices like workstations and laptops. 
  • Disable insecure, legacy network protocols such as NetBIOS and Link-Local Multicast Name Resolution (LLMNR)