Case Study – How to Get a Virus | Preventing Computer Viruses – IT Security – Endpoint Protection
Case Study – How to Get a Virus | Preventing Computer Viruses – IT Security – Endpoint Protection

Introduction

You know what really gets our goat?  It’s the blissful disregard for IT security displayed by many business owners, IT managers and individuals.  While it’s true that there is no such thing as an entirely secure computer or computer network, there are steps that can be taken to significantly reduce the likelihood of contracting a computer virus and losing all your data.  And guess what?  It’s starts with you!

Your Own Worst Enemy

Here at VanTech, we tend to get a lot of clients immediately after something bad happens.  Let’s get this straight from the get-go.  If you are calling us the morning after a breach, you are calling too late.  Don’t be your own worst enemy.  Consider the following case study and try to identify how much like this client your business is:

You are the VP of Operations for a 30 year-old company.  Over the last five years business and revenue have grown at a rate that’s been difficult to keep up with, but money is flowing in and everything is wonderful.  The thought crosses your mind that maybe now is the right time to contract with a managed service provider to handle your ongoing IT concerns, and, maybe more importantly, to take an honest look at the existing infrastructure for potential security issues.  After all, you have been adding more and more devices to your network without so much as a second thought and you haven’t been able to shake the feeling that as business gets better, your network and computers seem to be getting slower and slower.

Here’s the rub: You want your boss, the owner of the company, to see this increased revenue without a corresponding increase in spending, especially in IT which he doesn’t understand or value.  So you let it ride…

As time goes on you notice that your job as VP of Operations is almost exclusively taken up dealing with minor technical issues and fielding IT related complaints from the staff.  Everything is slow.  Productivity and morale are on the decline.

One morning you come to work and are greeted by your office manager.  She informs you that, try as she might, she cannot access any of the files on the file server.  You begin to sweat, and though you are unsure what happened, you know it’s not good.

Ransomware CryptolockerUpon logging onto the file server you are greeted with the not-so-friendly message pictured on the right. Your file server has been infected by a ransomware. How did this happen, you think to yourself, but you have a feeling you already know. In a full panic you call the owner and tell him that all company data has been encrypted and that production on all fronts must cease until a proper course of action can be identified. Your owner asks what the options are and you tell him that you do not know. Faced with the uncertainty of prolonged downtime, loss of revenue and potential loss of all company data, your owner tells you to pay the ransom. $1,500 later you have your files back. The next morning you call VanTech, along with a couple other New Jersey based IT companies, to come in for a consultation.

Seriously?  What Did You Expect?

VanTech’s approach in situations such as these is brutal, but tactful, honesty.  Clients seem to appreciate it, especially when something terrible happens and confusion abounds.  Sometimes there is no easy way to say you brought this on yourself, so the only recommedation available is to make sure it doesn’t happen again.  In this case, there were so many red flags and potential weak points that we’ll need a bulleted list:

  • Firewall Subscription Expired – Your firewall is your bubble around your entire network and is arguably the most important component in building a secure network.  What foresight it took to purchase a firewall!  How crazy it was to let the subscriptions expire!  Firewalls rely on constant updating to keep up with the most current threats and they cannot get their updates without a subscription.  Allowing the subscription on the firewall to expire was the first step in getting a ransomware.
  • Advacned Email Protection Subscription Expired – The client had always hosted its own mail server.  This was mostly a matter of cost savings.  Functionality compared to cloud-based email and hosted solutions was limited.  As part of the self-hosting model, an advanced email protection service was purchased on a subscription basis.  As long as the subscription was current, the server was protected from most phishing schemes, infected attachments and SPAM.  There was also functionality to block users and domains at the server level.  Unfortunately, this advanced protection had been expired for months rendering it useless.
  • Inconsistant Desktop Secuirty – Almost every desktop in the entire environment had a different endpoint protection product or none at all.  Most were expired.  Some computers had two or three different antivirus products installed concurrently.  None of these scanners reported to a centrally managed dashboard, and if a user got a virus there was no standard operating procedure in place to remidiate it.  Almost all of their 20 computers contained a virus or malware.
  • Insufficient Backup – The client’s file server was backed up every night to the same external hard drive.  At any given moment the most recent backup available was yesterday.  There was no online, offsite backup in place.  When the ransomware hit, one of the first things it did was locate the backup drive and encrypt it.  This, more than any other factor, was the driving force behind paying the ransom.  There was no other recourse.
  • Lapses in Awareness and Training – Ransomware is relatively new.  The client failed to realize this new threat was a real danger to their data and network.  Given that ransomware is mostly spread through infected email attachments, if was fairly obvious that, at least, one of the employees was indescriminately clicking on attachments from untrusted sources.

Oops!  My Bad!

So, what actually happened?  Well, as it turns out, on a slow Monday afternoon the owner of the company was checking his email at his desktop computer.  He came upon an email that seemed like it was from a trusted source, but in hindsight seemed a little wierd.  Usually when this particular vendor sent him an invoice there was an email signature and personalized message.  In this case, there was a plain-text email that simply said, “Can you review this invoice and get back to me”.  And so, he clicked on the attached PDF.  Nothing seemed to happen when he clicked on the PDF.  Unconcerned he moved on to the next item in his mailbox.

What the owner didn’t know is that this particular ransomware was special.  It wasn’t concerned with infecting the host machine.  It was simply using the host machine to find the file server.  Through a mapped drive it was able to determine the existance and location of the server and install itself on that machine.  It sat dormant there until the middle of the night, when no one would be around to notice what was happening.  It deployed itself and the rest was history.

Rather Be Lucky Than Good?

The potential for serious, life-changing and business-ruining fallout from this little episode was great, and it was only due to dumb luck that the client didn’t face more serious reprocussions.  For one thing, paying the ransom worked.  This is not always the case.  Thankfully, the entire file system was decrypted and all production data was recovered.  Secondly, the owner was the immediate cause.  He didn’t fire himself.  But, can you image how different the circumstances would have been if literally anyone besides the owner had been responsilble for infecting the network?

In my opinion, tracing the infection to the owner is the only reason heads didn’t roll, because seperate from the immediate cause, the secondary cause of this breach was the laissez faire attitude of those in charge of internal IT.    You might think that it can’t happen to you or your business, but it can.  Is this something you want to bet your employment on?

Conclusion

These types of events tend to open the eyes of all those involved, and suddenly all the things that were ignored for years become priority number one.  This client inparticular realized the importance of ongoing managed IT services, internet security, hosted exchange email, online offsite backup, centrally managed antivirus and antimalware and current firewall subscriptions all at once.  They ended up spending a tremendous amount of money all in one shot instead of spacing those expendatures out over a period off time though proactive maintenance and IT planning.

Today they are in a much better place.  Granted, there is no 100% secure network.  Large and small companies will continue to face similar breaches, but managed IT services, at least, give us a fighting chance.

If this case study hits just a little too close to home, if you are unsure what the heck is going on, contact us today.