Case study: Being held to ransomware

Imagine a pop-up message announcing “Your files are encrypted. To get the key to decrypt your files you have to pay $5000 USD.”

You learn that if you fail to pay within a week, the ransom will double and your decryption key will be destroyed. Any chance of accessing 15 years of client files and all the data assets held on your business server would be lost forever.

It’s every business’ worst nightmare. But this wouldn’t happen in New Zealand – would it? Actually, it would and this is what happened to Mike* who runs a Management Consulting company in Wellington.

We talked to Mike to hear his story:

“It started as an ordinary Sunday. But then an employee rang saying he couldn’t get access to a file he needed for a client presentation first thing Monday. I logged in remotely to find our business server was being held to ransom,” remembers Mike.

Their specialist IT company confirmed that all files on the server had been encrypted, but not any of their desktops or laptops.

“The big issue,” said Mike, “was that 15 years of client work files were on that server and we rely on those files for all our future work.”

“I rang my business partner and said it was the second worst thing that could ever happen to us, the first being having the building collapse.”

Fortunately Mike’s company had daily back-ups, as well as a duplicate drive and shadow copies of most of the files. The IT company was able to restore all but a few of the business files.

“But it still took three days. We were finally back up and running by Thursday morning.”

However, there was an auxiliary drive on the server, which held about a terabyte of personal files – mainly photos and videos of one of the business partners. It was on a different backup cycle – a weekly destructive backup on a Sunday night.

The business partner decided he wanted to pay the ransom to get his files back, but the ransom had increased to $5000, which they decided was cost prohibitive.

By piecing together duplicates saved elsewhere, they recovered 90% of the photos, but only 50% of the videos.

How did this happen?

An investigation revealed that a cyber attacker had logged in remotely to the server by accessing Mike’s account and password.

“It turns out it was a brute-force attack with multiple attempts to crack the password. They (the hackers) got dumb lucky. It was because my password was my name with a number.”

“I’m reasonably tech-savvy so the reason it was a dumb password was because I had to send my password to IT one day and just changed it to a temporary one. My desktop has fingerprint recognition so hadn’t got around to changing it back because I don’t think about entering the password every day.”

Key lessons

Mike is philosophical about the learnings and lessons. “Every business has its setbacks to get through, and this was one of ours. But it was a bit of a wake-up call as well. We’re definitely thinking about moving our files to the cloud after this.”
Here’s what Mike’s company learned:

Don’t let staff use their name and a number for a password.
Restrict access to change information on business servers to those who really need it.
Use layers for back-ups and keep to a regular schedule.
Have other-site or cloud-based backups for personal folders.
Occasionally undertake a cybersecurity audit to discover weaknesses.

For any entrepreneur or small business, cybersecurity is a necessary part of doing business these days. But with an increase in email hacks, data breaches and ransomware, how secure is your business?

*Mike’s name has been changed.