Ransomware. That’s that thing that happens to careless computer users, the ones who are careless with their data, the websites they visit or the USB devices they plug into their machine, but I’m a techie and I’m really careful so it'll never happen to me, right? That’s what I used to think. With two decades in data protection I believed I was untouchable until one eye-opening morning around two years ago.
I was working from home that day, a leisurely start to the day, but breakfast was disturbed by an unusually early phone call "The website has gone weird, bits of it are all in Chinese" said the concerned end user. It seemed really odd and isolated, so I started to take a casual look over it with my morning cup of tea. The laptop seemed a bit slow, but I got on and started looking.
I admin this site frequently, and had a mapped drive to it, so hopped on effortlessly to take a look. Sure enough, it seemed the HTML files were all garbage. The Chinese language that the user reported was in fact binary characters and at first glance it looked corrupted. This is all on a raid 6 SAN with loads of protection, so it couldn't be corruption, could it? I tried another web page, and another, and another and wow, we have loads of issues, but then some files seemed okay. I put the cup of tea down as seems it’s a two-handed job to see what’s going on.
The corruption seemed hit and miss. Some files were corrupt, some not, but files were either entirely corrupt or not at all. In fact, it seems file extension specific. Confused doesn’t come close. I check my emails, all running off a server on the same SAN and all is well, as are the SQL databases. My laptop still seems sluggish, but that’s so unimportant compared to this priority one issue right now.
I have some backup folders on my laptop of the website data, so I'm happy the SAN is ok now, so I'll just copy the backup files across and all will be well. I'll work out the root cause when service is back up and running. I copy them across and check its fine before finishing off my cuppa. But it’s still corrupt - What? I check the source files on my laptop and they’re garbage too. How is that even possible?
I browse into the folders and start to look around. Things start to become clearer ……….. a whole lot clearer. In every folder of the website I find a read me file advising me that I'm the victim of ransomware and my files have all been encrypted with AES 2048 bit encryption and unless I pay up for them to decode them they're junk. Really? Nah.
It doesn’t seem real. I check my documents, my desktop, my network shares, video files, photo files, scanned images, company accounts, my kids’ birthday party photos from last week. You name it, it’s been working its way through the lot. My heart sank. I pick up the cup of tea and slurp it down trying to comprehend how someone else has been in my computer, accessing everything I have and then it dawns on me that the CPU usage on my sluggish laptop, the whirring CPU fan, it’s still busy encrypting things!
I yank out the network cable, turn off the WiFi and sit and watch as the CPU eventually comes to idle. Unable to access any more data to munch through, it had been there silently manipulating data whilst I slept, an intruder in the house.
Fortunately for me, I had backups, offsite and completely separate from my day to day systems. The laptop was powered off and flattened, re-installed from scratch and the clean backups were restored on it.
I was one of the very lucky ones.
From a technical angle, the ransomware was slick and well coded. These guys are motivated and talented. They got in, (I still don't know how) and silently and efficiently started encrypting the data that was most important to me. It skipped all the generic operating systems and application files, leaving your computer running normally for as long as possible, targeting documents, photos and programming files - Small files, huge value, quick encryption. It didn't just do local drives, it scanned mapped network drives too. It did everything possible to tempt you to pay the ransom to get your data back, if in deed they would honour this after payment. Forget replication and failover, these encrypted files would have wiped over the replica site data well before anyone noticed.
Backups used to be about natural disasters, theft or human error, none of which I've ever thankfully suffered. Today however, it’s much more than that. You have to expect the unexpected and take measures to protect your data against it.