Skip to main content

Ransomware Case Study

A practice manager arrived at the office on Monday morning and was called by the receptionist asking why their computer had a weird message displayed, that they had not seen before.  The messaged informed the practice that their files were encrypted and that  the practice had 48 hours to pay a ransom of 10 bitcoin, or the files will remain locked and unusable.  

The practice manager noticed that it is not just that one computer that is locked, but all devices on the network.  All of the computers are infected with the same ransomware.

The practice manager notified IT who confirmed the ransom attack. 

The practice manager immediately contacted their cyber insurance to report the incident. The insurance claims team arranged for a forensics team to begin working to determine what happened. They identify that someone was logging into the network remotely at all hours of the night.  The practice manager confirms that  it was not staff logging in at odd hours. Eventually, the forensics team identifies a specific link had been clicked on from an email.  The  forensics team tells you that the link clicked on had sent your username and password to a cyber-criminal.  The forensics team was able to identify the exact variant of ransomware used and the variant was not able to exfiltrate data off-site.  No data left your network.

Fortunately, the practice had an off-line backup that was not affected by the ransom attack.  Restoring the network from backup was possible.  It took a few weeks to get everything back to normal, but it could have been much worse.          

Ransomware is a form of malware designed to encrypt files on a device, rendering them and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Over time, malicious actors have adjusted their ransomware tactics to be more destructive and impactful and have also exfiltrated victim data and pressured victims to pay by threatening to release the stolen data. The application of both tactics is known as “double extortion.” In some cases, malicious actors may exfiltrate data and threaten to release it as their sole form of extortion without employing ransomware.

Ransomware and associated data breach incidents can severely impact business processes by leaving organizations unable to access necessary data to operate and deliver mission-critical services. The economic and reputational impacts of ransomware and data extortion have proven challenging and costly for organizations of all sizes throughout the initial disruption and, at times, extended recovery.

Best Practices: Preparing for Ransomware and Data Extortion Incidents

The Cybersecurity and Infrastructure Security Agency (CISA) recommends the following best practices to help manage the risks posed by ransomware and to drive a coordinated and efficient response for your organization in the event of an incident. Apply these practices to the greatest extent possible pending the availability of organizational resources.

  • Maintain offline, encrypted backups of critical data, and regularly test the availability and integrity of backups in a disaster recovery scenario. Test backup procedures on a regular basis. It is important that backups are maintained offline, as many ransomware variants attempt to find and subsequently delete or encrypt accessible backups to make restoration impossible unless the ransom is paid.

  • Maintain and regularly update “golden images” of critical systems. This includes maintaining image “templates” that have a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.

  • Use infrastructure as code (IaC) to deploy and update cloud resources and keep backups of template files offline to quickly redeploy resources. IaC code should be version controlled and changes to the templates should be audited.

  • Store applicable source code or executables with offline backups (as well as escrowed and license agreements). Rebuilding from system images is more efficient, but some images will not install on different hardware or platforms correctly; having separate access to software helps in these cases.

  • Retain backup hardware to rebuild systems if rebuilding the primary system is not preferred.

  • Consider replacing out-of-date hardware that inhibits restoration with up-to-date hardware, as older hardware can present installation or compatibility hurdles when rebuilding from images.

  • Consider using a multi-cloud solution to avoid vendor lock-in for cloud-to-cloud backups in case all accounts under the same vendor are impacted.

  • Some cloud vendors offer immutable storage solutions that can protect stored data without the need for a separate environment. Use immutable storage with caution as it does not meet compliance criteria for certain regulations and misconfiguration can impose significant cost.

  • Create, maintain, and regularly exercise a basic cyber incident response plan (IRP) and associated communications plan that includes response and notification procedures for ransomware and data extortion/breach incidents. Ensure a hard copy of the plan and an offline version is available.