Terry Cutler the Ethical Hacker | Call me at 1-844-296-5649 x 24
Terry Cutler – The Ethical Hacker
Home » MapleSEC: The ransomware attack that turned into a horror story
Articles Blog Media

MapleSEC: The ransomware attack that turned into a horror story

Oct 05, 2020  •  October 5, 2020  •  3 minute read  •

100520-GettyImages-1135196114
 you want to hear cyberattack horror stories, ask a penetration tester.
But you might have trouble beating the one pen tester Terry Cutler of Montreal’s Cyology Labs told Monday during the MapleSec online conference hosted by IT World Canada.



MapleSEC: The ransomware attack that turned into a horror story


It started with a plea for help he received on a Sunday night from an unnamed Canadian laboratory with offices across the country. It had been hit two days earlier by a ransomware attack.

Most firms pay the ransom, clean the computers and get back online. But this incident turned into a six-day nightmare. It’s “one of my most stressful stories,” Cutler recalled. Here’s why:
1. The ransomware was distributed by a malicious attachment. Unfortunately, employees across the country kept clicking on the attachment, increasing the number of infected computers (and, separately, increasing the ransom).
2. Before any software could be installed, Cutler’s firm had to collect forensic evidence on each computer for insurance purposes. But by then all the machines were offline, so data collection had to be done manually on each of the 200 computers. That involved bringing in another IT support firm.
Advertisement

STORY CONTINUES BELOW


This advertisement has not loaded yet, but your article continues below.
Article content
3. A clean parallel network was built so the company could get back online and the PCs were scoured. For extra protection, a new endpoint detection and response (EDR) solution was installed on each. But when the PCs were connected to the new network they got infected again. The network and PCs were rebuilt, and all were infected again when connected to the new network. After it happened a third time they discovered that the laptop of the technician doing the rebuilding had been hacked with a remote access software called Off The Record, which the ransomware gang was using to keep uploading malware.
4. By Day 5 the ransomware demand for decryption keys had hit $800,000. Deciding not to pay, the company turned to its backup tapes, “but the technicians didn’t know where all the tapes were,” said Cutler. “They were not in order, they were all over the place. You have to have them in a specific order to retrieve the data. And there were terabytes of data. When we finally got all the tapes, we couldn’t mount it (the recovery software) because the driver for the tape drive was on the old Windows Server 2003. It wouldn’t run on (the environment’s new) Server 2019. So we had to wait for the evidence collection to run on the old server before we could even start to restore process.” That took 17 hours.
5. The tape library database had been destroyed by the ransomware, so had all the backup tapes had to be re-indexed. A data recovery firm had to hired to do that.
Advertisement

STORY CONTINUES BELOW


This advertisement has not loaded yet, but your article continues below.
Article content

Ultimately the ransom was negotiated down to $175,000. But the firm lost a week’s work, during which the bulk of the employees were still being paid.
“I was so sure they were going to shut their doors because nothing was going right for us until they had to pay the ransom,” said Cutler.
There was no shortage of lessons from this attack:
Every firm must inventory all the software it has on every computer and server. This is particularly vital for old software. Do you have all the software installation keys for each application in case it needs to be re-installed? Remember, some data may need to run on the software it was captured on and not the latest version.
In addition to making sure data is backed up, test your backup and restore procedures to make sure staff understand what has to be done.
Have offsite backups that aren’t connected in real-time to the network so they can’t be infected.
“IT guys are always asking for money,” said Cutler. “Upper management never believes the organization will be hacked. I can promise you once ransomware occurs, the budget magically shows up because they don’t want to go through this again.”
The MapleSec conference continues Tuesday and Wednesday. Registration is free.

Subscribe to our mailing list

* indicates required

Related posts

Give me 4 minutes, and I’ll tell you if your PC or Webcam has been hacked.

Terry Cutler

Zappos takes steps to reassure customers in latest hack

Terry Cutler

Digital Transformation Week 2020: Advice when you need it most

Terry Cutler

ITWC Morning Briefing, July 16, 2020 – Twitter’s weird bitcoin promo hack, plus a chat with ServiceNow’s Chris Pope

Terry Cutler

Police search for Metro trespassers who made ‘Lowest Point in Montreal’ video

Terry Cutler

‘Ugliest Montreal Canadiens spouse’: popular hockey website runs offensive poll

Terry Cutler

LEARN THE SECRETS OF THE WORLD’S MOST SUCCESSFUL CYBER SECURITY EXPERTS. Close I'm Interested

Privacy & Cookies Policy