We Don't Negotiate with Terrorists

The timing was ironic.  Last night I was at the office when the date changed to October 1, 2013; the beginning of National Cyber Security Awareness month.  The reason I was at the office was due to a user installing the CryptoLocker ransomware on their machine.  This particularly nasty and ingenious piece of software encrypts all of the Word, Excel, PDF, and image files it can find on local and network drives.  It then taunts you with the ransom, $300, to get all of your documents decrypted. 

The user had opened an innocent looking email with a zip attachment.  Inside that zip attachment was an executable file designed as a major money maker for these criminals.  It was a spear phishing attack and it worked.

I first found out about the issue at around 10:30 p.m. when my phone started buzzing the buzz of numerous emails arriving.  I was shocked when that number showed 160+ unread emails and it was climbing quickly.  The emails were from the antivirus agent installed on that machine sending out alerts that something malicious was being blocked.  So I logged onto that machine and saw the CryptoLocker window along with a note that all files are encrypted.  The threat had managed to get through our email filter and our up to date antivirus agent was helpless to stop it.

I immediately turned off the machine and drove in to work to fix whatever damage it had caused.  I restored the network files that had been encrypted, but the local files were unrecoverable.  We restored the machine from our image and the user lost a day’s work.  Paying the $300 was never an option, we don’t negotiate with terrorists. 

We have done some phishing attack training with our users but that didn't stop this attack.  I sent out an email to all users late last night telling them to be alert and think before opening email attachments or clicking on email links.  I included a link to the July, 2013 OUCH! Newsletter from SANS that talked about spear phishing.  I think the message was heard loud and clear because it hit close to home.  It was also a good reminder that I need to do a better job protecting our network.  When attacks like this materialize you go through the steps you could take to prevent it from happening again in the future.

National Cyber Security month gives you an excellent platform to push for more security and training for your users.  These threats are real and they can happen to you.