Anatomy of a Ransomware Attack

Lately we have had the opportunity to see inside some ransomware attacks and what the cost has been to businesses.  For example, I wrote about the Petya malware and what it did to the shipping giant Maersk and the law firm giant DLA Piper.

Now we get to find out what happened inside a different ransomware attack at KQED TV and Radio in San Francisco.

As you will see, the impact to this organization has been profound and is still not over.  They have chosen to make a number of security changes – after the horses are out of the barn and the barn has burned to the ground.  Probably not the best strategy, but better late than never.

The value in reading about their misery is to learn from their experience – so that you don’t have to repeat it.  Here goes:

On June 15th, more than a month ago, KQED was hit with a ransomware attack.  After consulting with the FBI, they decided not to pay the ransom.  They have been – slowly – rebuilding their entire infrastructure, piece by piece and it is not done yet.

Now was the time to roll out the Incident Response Program, their Disaster Recovery program and their Business Continuity program.  Oh, wait, they didn’t have any of those.

Other than their Internet stream being down for half a day, they have not lost any broadcast time.  The pain, however, has been non-stop.

One of their reporters said it was like being bombed back 20 years, technology wise.

The article says that they had up to date security systems – whatever that means – and that they reported about cyberattacks frequently and still got hacked.  It is important to understand whether what their definition of up to date security systems means and also, reporting about cyber attacks as a concept is very different than practicing what you preach as you will see below, but still, there is some validity to the point.  Everyone has to up their game if they want to stay safe.

Having Incident Response, Disaster Recovery and Business Continuity programs would be a good start.

After the attack, email was down and so were all network connected devices.  Wireless was down for several days and email was down for two weeks.  What would that do to your company?

The day after the attack, reporters had to show up at 5 AM to redo a broadcast that had been recorded earlier, but lost in the attack.

For two weeks they had to record broadcasts at the University of California Hastings since their studio wasn’t operational.  At least they were still able to broadcast.

Even now, scripts are printed out on an old ink jet printer and placed in a box in the studio so that everyone can find it.

Timing of segments is not done by computer any more – now they are using a stopwatch.

Even getting in and out of the building was a challenge since the badge system was not working.

At the time, every computer was on the same network.  Now they are segmenting computers so that attacks that take out reporter’s laptops cannot take out the studio.  That is considered normal best practice, but they were not doing it before the attack.

Just to be clear, no one thinks KQED was targeted.  It was, as the cops say, a crime of opportunity.  A crime which the employees, a month later, are still dealing with.

On the other hand, the staffers have gotten very creative.

Translate this to your company – think about what you would do if this was you rather than KQED.

Information for this post came from the San Francisco Chronicle.

Leave a Reply

Your email address will not be published.