01293 415000 sales@efrontline.com

45A customer’s server was completely destroyed and the business brought to its knees when a hacker managed to break the server’s login security and log in. When you read the story, you’ll understand that the servers login security wasn’t really broken – it was just a hacker trying out his luck with a number of predictable passwords that let him in.

Ransomware Server Encrypted 1

The business was completely paralysed with management frantically trying to work out what had happened to the familiar document names and folders that they had expected to see on the server. Imagine having all of your staff at work, but none of them able to carry out their duties because the computer systems are down. There’s only so much tidying up you can do.

When we joined the party, we established that the whole disc drive that stored the company’s vital data and database driven application were encrypted. It was a matter of finding the demand email/ information from the hackers to see how we could move forward. The “ransom note” turned out to be in the account that the hackers had originally used to gain access and once we found this we understood how they had managed to get in. The username on this account was “Steve” and the password was “12345” – imagine that! Steve had granted himself full administration rights on the server (after all it was his server, right..) and he had allowed himself remote login capability. So Steve (name changed to keep our client’s identity anonymous but the password was in fact “12345”) was contemplating how they were going to build their data again. He had rationalised in his head that some of the documents that they had on the server were not that important and others that they use frequently would just have to be recreated. I pointed out that this would be very time consuming and a huge drain of resource on the company’s staff.

To prove that the Hackers did really have the tools to unencrypt the data, they offered to unencrypt 3 files of our choice. Steve identified 3 files which he really needed and within a few minutes of sending them, he had them back, unencrypted and in the usable format.

The hackers demand was for 2 Bitcoins to give us the software to unencrypt all of the data. Now here’s the dilemma: do you trust someone who has been malicious enough to encrypt your data with your hard earned money? Would they really honour their promise to give us the un-encryption tools? And paying them just allows them to carry on with their criminal activity which is “kinda encouraging” them. On the other hand, if they deliver the software it could save the company hundreds of hours and potentially the business. We didn’t want to give in to the hackers but there was a compelling reason to do it – to save the business thousands of pounds.

We made a calculated decision that under the circumstances, we were going to pay them; there was a risk that we’d lose the ransom money as well but we saw no reason why the hackers wouldn’t give us the software as they clearly had it. But the “value” of the data we could potentially recover was worth it and we could draw a line under it and move on.

After we paid them, they did indeed give us the unencryption software and it worked on every single file, except for a couple of files which weren’t that significant.

Overall, a good result for the business immediately and also going forward but a really bad way to learn this important lesson. The password policy is now strictly enforced and internet access to servers is now disabled.

Steve put it down to a stupid mistake – one which he promised me he would never repeat. When we setup the new server, I made sure that the system would ask them for secure passwords and I told Steve not to override that setting!

So to summarize, having a bad password did cost Steve exactly £1921.10 because that was the value of 2 bitcoins. And Steve, nearly lost his business. My suggestion to you is to make sure that you have secure passwords and to avoid the simple passwords like “12345”, “password” and “letmein”. You should also avoid using common names like Steve, Andy, Paul, Lisa, Angela, Debbie etc as these are the first to be tried.