Just when we thought the tide of ransomware attacks was ebbing, we have seen a spike in attacks recently. In the past month, we were contacted by three companies seeking out help in addressing ransomware attacks. In keeping with our policies to only work with clients that have existing support agreements, we politely declined to support them.
Ransomware attacks are a nightmare not only for our clients, but for our technical staff as well. Today’s attacks encrypt much more than a company’s data, it also encrypts configuration files and attacks the security system. The criminals are smart. They kick off the encryption process after business hours, most commonly on the weekends so the encryption process will go un-noticed until it has completely messed things up. The net effect of these attacks is to turn computers and servers into zombie billboards flashing the criminal’s demand for payment.
If you're hit with a crypto-locker attack, there are only three options: Pay the ransom, recover from backups or re-install everything from scratch and start over. Recent ransom requests we have heard about range from about $1,000 to $12,000. If you don’t have good backups and have to pay the ransom option, the steps to recovery include:
After deciding to pay the ransom, the typical time to being functional is approximately 7 business days. By working nights and weekends, that cycle time may be reduced by about one day during the decryption process. Unfortunately, the time it takes to find out the ransom amount, get the bitcoin, pay the ransom and get the decryption keys will run at least 3 business days, and perhaps as much as a week depending on where you purchase the bitcoin. We use Coinbase to purchase bitcoin on behalf of our clients. Coinbase acts like a bank that maintains a currency (bitcoin) exchange market. In order to initiate a transaction, I have to transfer funds to the Coinbase account. This banking transaction takes from 24 to 48 hours to post to the Coinbase account. Once the funds are confirmed in the Coinbase account, we can initiate a bitcoin purchase. That transaction takes 24 hours to post. Once we own the bitcoin, we can transfer the bitcoin to the criminals account. That posting takes an additional 24 hours for the transfer to be acknowledged by the criminal. After the criminal acknowledges receipt of the ransom, the decryption key and software would be on the way.
Decrypting the files is tricky business. The tools the criminals provide are crude and require manual control to pick which folders and files to clean up. Due to the simple tools and their crude nature, decrypting a file server completely can take several days. The reason they encrypt the files overnight or on the weekend, is that the encryption process takes time, so the decryption process will take time too. The amount of technical support time needed for resolving a crypto-locker virus ranges between 16 to 40 hours of technical support time.
If you are fortunate enough to have good backups, a recovery from local backups can be completed in 4 to 8 hours, meaning a business will be offline for at about a day after a crypto-locker attack is discovered. If the local backup is compromised or non-existent, a cloud recovery could take up to a week depending on restoration process, volume of data and recovery process. The amount of technical support time needed for resolving a crypto-locker virus by recovering from backups ranges from 8 to 16 hours depending on the backups and backup location.
With the long recovery times, the biggest expense with a crypto-locker virus isn’t the ransom or the technical support costs, but rather the lost staff time from the inability to access systems.
Click HERE for more information.