Saturday, Dec. 8, 2018 is part of the week that some employees at Alexandria Industries call “hell week.”
At 6:30 a.m. that day, a meeting was going on when one of the company leaders got a strange message about actress Emma Stone on the computer. Leah Lindgren, the company's IT systems administrator, saw it when a photo of the message was sent to IT.
“I thought it was just a junk email,” she said.
That message proved much more serious. By 8 a.m., the entire system was encrypted on every computer from a ransomware attack, which eventually cost the company six figures to repair.
Ransomware is a type of malicious software that blocks computer access until an amount of money is paid. Because of the criminal nature of the attack, data restoration is not guaranteed, even if the victim pays the money in the time frame given. In the first six months of 2018, 181.5 million ransomware attacks happened to business and individuals, according to a 2018 SonicWall Cyber Threat Report.
In this particular case last December, a forensic company let Alexandria Industries know how it was attacked and that none of its data was actually taken, but each of its 400 computers nationwide had to be reloaded and new software reinstalled.
“The situation was definitely eye-opening, but it wasn’t as bad as it could have been because we have a talented team of IT people who put robust systems in place to help protect us and our customers,” said Steve Schabel, chief sales and marketing officer at Alexandria Industries. “The impact on our business was minimal, and we were pleased to learn that none of our employee or customer data was accessed.”
Representatives from Alexandria Industries and High Point Networks spoke at Alexandria Technical and Community College’s IT conference on July 31. They shared their story of the outbreak and all they had learned first-hand, and what security features they have put in place to prevent this from happening again. They did not disclose whether the cyber attackers demanded money.
Repairing the damage
Brenda Solum, IT manager for Alexandria Industries, was on vacation last winter when she got a call from Lindgren informing her of the situation.
“By that point in time I think we were both on the verge of crying because it was so drastic. You don’t think about it until you’re in that situation,” Lindgren said.
High Point Networks got involved, because Alexandria Industries’ team couldn’t do it alone, she said.
“Don’t try to be a superhero on your own,” said Shawn Mendel, director of professional services at High Point Networks, which is a partner of Alexandria Industries.
The IT team called in resources from each of the five Alexandria Industries facilities, and had consultants working on site plus vendors working remotely. Ten managers came in, taking themselves out of their normal roles and helping with IT.
“It just was amazing, the teamwork that everybody chipped in,” Solum said.
The first step they took was to shut down the firewalls to keep the ransomware from spreading. Not everyone was in the office and so none of the computers that were shut down got hit.
The next steps were implementing new procedures. The IT team installed a new anti-virus software and new email security among other measures, and the company now disposes of hard drives with a disposal company.
Solum said she worked through the night with a consultant from High Point for two days straight.
High Point Network’s team of nine people logged more than 150 hours with Alexandria Industries from Dec. 8-19. Mendel was leading that team.
He said the location or size of the company doesn't matter when analyzing a potential security risk. Ransomware attackers only care if the data is valuable to the company it came from.
“No one has immunity,” he said. “If you believe that you have immunity for some reason, of location or what you do, or you don’t think your data’s valuable, that’s a lie.”
Alexandria Industries wasted no time in making sure its computer users were more cyber-aware.
“They say your users are your number one security threat, so we felt strongly enough about that,” Solum said.
They instruct all users to power down their computer before they go home at night. The company has tested for phishing twice for all users. A number of employees also went through a cyber security training, and it is in the plans to make that mandatory for all users.
Costs from this entire ransomware event exceeded $100,000. The company hasn't quantified it, but with everyone's time and energy that went into the project, costs could well total more than $250,000.
“It’s something that you never think could happen, but it will. Just don’t fool yourself,” Lindgren said.
How to secure your own network
Ransomware attackers can get into the system by open Remote Desktop Protocol ports connected to the internet that allow users to connect and control another computer remotely through a network. Mendel said that needs to be shut off.
When no one monitors the system, failed login attempts by attackers can keep occurring until they eventually guess passwords.
The most common attack is when a lot of emails are sent out and the attacker hopes someone responds to it. The damage can also be done by an attachment of some sort or link to a website. Other ways attackers can get in include a download, a web server or application, or removable media such as a USB drive or phone charging cable.
It’s important to note what is connected to your network and what software is running or trying to run on your network.
He also said to limit and track users with administrative privileges. Have two separate accounts – one with admin privileges, one without – and only use the elevated account when it’s absolutely necessary because if the non-admin account is compromised, it could do a lot less damage.
Frequent vulnerability checks are necessary because things change too fast.
“This is never done. This is a cycle that continues,” Mendel said. “There is no 100% and there never will be.”
It’s important to have as many layers of security as possible.
“You have to be ready. You have to have a mindset that this is going to happen,” Mendel said.
Mendel said testing your backups is important. The ransomware hit all of Alexandria Industries’ backups, but their replications saved them.
It’s also important to check firewall configurations. Plus, businesses shouldn’t only protect from ransomware, they must protect from all sorts of attacks, Mendel said.
Once you’ve been attacked, notify your insurance company and get legal counsel on the issues, he said. Next, make a team of people from your own company and any outside companies, assign tasks and execute them.
Mendel recommended the website haveibeenpwned.com to see if users have been a part of a data breach. He said a lot can be prevented with a policy to change passwords every 60 days or every six months at the latest. One shouldn’t allow browsers to store passwords.
Use multiple steps to access accounts, called multi-factor authentication for everything. Mendel also said to be aware of fake websites that look identical to other websites.
Phishing and spear-phishing is a common attack that can be easy, but dumpster diving is perhaps the easiest and it still happens. Be careful what you throw away; make sure to shred anything with personal information.