It's 17:00 on a normal working Thursday and our office staff are at work as usual on their PCs and servers. It is almost the end of the day and everyone is in a good mood, also because one of our colleagues has just returned from a business trip abroad and has brought a little gastronomic gift for everyone. In short, the atmosphere in the office is truly relaxed and serene.
Then a "lightning": come on antivirus of two PCs the alarm is triggered. Not even the time to look at what's happening and suddenly PDF, XLS, WORD and PPT files have become… MP3s: encrypted, with no possibility of recovery!
What to do?
The answer is suggested by a black screen: “Either you hope for a miracle and you will see the price double, or start getting bitcoins…”
These are the instructions that gentlemen"thugs” (hackers?) have deposited in our system, after rendering unusable (yes, not even as MP3!) part of the files on our servers.
Well yes, it happened to us too: we were victims of the notorious ransoware Cryptolocker and fortunately (but we'll see that it's not just luck) we went well. Many have been, and many more will unfortunately still be, the Companies affected by this malware and brought to their knees by the economic demands of the criminals, without any certainty of seeing the systems restored or the certainty that no data has been stolen, not even by paying the "ransom".
Catching malware today is as easy as catching the flu (maybe easier). What makes the difference is how ready you are for such an event.
What happened?
Triggering two MCAfee scans simultaneously triggered the alarm; the time to try to open a couple of files on the server and we realized we were facing the dreaded CRYPTOLOCKER.
In a specific section of one of our servers, the outbreak was practically immediate, rendering all files unusable, whose extension was changed.
At first it was difficult to define the damage caused.
The VIRUS in question changes from day to day, and so do antiviruses which MUST be constantly updated: this activity happens frequently and automatically for us. The breach to enter was probably created on a device on which the antivirus was not updated for a few days with the latest patches due to a business trip by its owner.
As soon as the infected PC connected to the company network cable, the malware moved to the server and, more importantly, the process became bidirectional: even those who tried to access files on the server, or had some already open, been attacked.
Inside a folder where several virtual machines resided (and which was the first to be attacked) the threat was revealed, and we also found the JPG image with instructions to "pay the ransom".
What did we do right away?
The only thing that can be done – and we did it immediately – is to disconnect all the PCs connected to the network from the network to prevent the virus from spreading to individual terminals; the problem obviously remains (more serious on servers), but at least the personal devices and above all the data residing on them have been preserved.
Timely intervention also prevented the possible sending of emails or exchanging files with colleagues or customers.
Another thing that is very important to do as soon as possible is a report to the cyber police: unfortunately, today this is a pure formality and the chances of seeing the guilty punished are practically nil.
Why complain then? Simple. To get to know the enemy better, to present the new methods of attack to the police, and a lot of other reasons but above all for civic sense.
In Italy, the legislation that obliges you to report these episodes is still immature, and many tend to "hide their heads in the ground", as if nothing had happened: they are afraid of bad publicity, of harming the corporate image but he realizes that he only harms society.
How is it possible that in one of the states with the highest number of infected PCs, there is a practically negligible amount of complaints? As long as we pretend nothing happened it will be impossible to increase culture on the subject and Italy will forever remain behind on the subject.
Because we have not suffered irreparable damage
The question is no longer "how do I defend myself from this kind of attack", but "how do I get back on track as quickly as possible": let's not ask ourselves when we will be attacked, because sooner or later we will be (if we haven't already been), but think about it first to be able to reduce system recovery times and monitor incoming and outgoing traffic to make sure you don't have data loss or other goodies in the future.
A security and vulnerability assessment (with possibly penetration tests, both internally and externally) carried out on a periodic basis can give us the pulse of the situation and make us understand whether the protections and countermeasures we have chosen to implement can be effective. And, in the review phase, evaluate even more updated and powerful ones.
The use of the Cloud in this case was essential to preserve our assets: a constant backup both on site and in the cloud allowed us to completely delete all the infected folders on the server and replace them with the last "clean" backup , with very limited data loss.
Furthermore, our network infrastructure is equipped with technologies and devices whose task is to monitor incoming and outgoing traffic, reporting any anomalies and making remote access more secure both by/with our technicians and with our colleagues. commercial department.