600 Minutes of C.S.I. (Cyber Scene Investigation): An Hour-by-hour Account of a Ransomware Attack

February 12, 2018

Blog, Safety

The story you are about to read is a fictional account of a real ransomware attack!

Hour One: It’s a bitter cold day in Hrodna, Belarus. The hacking team that has branded themselves as the “Jigsaw Gang” has gathered to plan a new malware attack. Always trying to stay one step ahead of the European Union Police agency, Europol; Jigsaw has ramped up their encryption efforts to include new undetected malware and ransomware software. Today’s project is a full-scale attack on employees in the United States. Their goal is $500,000 in Bitcoin currency and they plan to raise that money within the next 10 hours.

Hour Two: The gang’s marketing and design experts craft an email along with a full-color invoice that appears to come from a U.S. fabric manufacturer. The email is short and directs the user to “Click on the attachment”, and also informs the employee that “the balance is 30 Days Past Due”. Several members of the Belarus team who are well-schooled in the English language scan both the email and the invoice for grammar, American word usage and spelling. Other members of the team scour the dark web to purchase hacked email lists of US office workers. At 1:45 AM, the team launches the attack. Its early morning in the United States and employees will be arriving at their work stations and opening their email for the next three hours.
Hour Three: The customer support team (many of the larger gangs employ agents to assist their ransomware victims in procuring bitcoins, and unlocking their files once payment has been received) is notified that a large email blast will be sent to approximately 325,000 clothing, shoe and apparel store employees across the United States. The trap has been set. The Jigsaw gang monitors their computer screens and waits.
Hour Four: At 9:00 AM, April Horton arrives at her job in the accounts payable office of “Venice Vintage T-Shirts”, an online and brick and mortar retail clothing manufacturer. She opens her email and discovers an invoice to be paid. She clicks on the attachment and sends it to her printer. The file however, isn’t an actual pdf. She prints the bogus invoice and goes through the remainder of her emails. After two minutes, she notices a large text box in the background of her monitor.
Hour Five: The CryptoLocker malware races through her computer and then enters the mainframe servers. The mainframe pings the server in Belarus to identify itself and two cryptographic keys are generated. One key is kept on the business computer in the U.S. and the second key is stored securely on the criminals’ server. With the keys established, the ransomware begins encrypting every file it finds from business plan documents to JPG catalog images to sales spreadsheets.
Hour Six: The ransomware is now established in the business’s servers as well as all laptops, PCs, and connected printers and scanners in the building. The virus is programmed to set keys in every Windows Registry to launch the warning each time anyone tries to reboot their computer.
Hour Seven: April and sixty-three other employees at Venice Vintage T-Shirts are now staring at the extortion message on their computer screens. There is a ticking clock showing the time left until their files are permanently erased and the amount to pay to release the encryption key to unlock the files. The typical price is from $500 – $1,000 and must be paid in Bitcoins or other untraceable currency. There is, however, a helpful customer service email address prominently displayed that will assist them in securing the money and paying the ransom.
Hour Eight: Both members of the business’s IT team rush to the servers to power down the mainframe and run anti-virus software in each of employee’s computers. Unfortunately, it’s too late; the malware has already encrypted all the files throughout the system and registered each computer with the Jigsaw Gang’s servers.
Hour Nine: With their website down and their customer service agents unable to pull up client information and inventory or handle credit card or monetary transactions, Venice Vintage T-Shirts and the third-party websites who work with their company as co-branded online stores are forced to place a “Temporarily Closed” message on their sites and telephone systems.
Hour Ten: Disgruntled customers, vendors and retailers are calling; cash flow has stopped; employees are sitting impatiently at their desks and browsing customers who are now unable to access the Vintage T-Shirt sites, are finding other shopping options. The management team contacts the Jigsaw customer service team via email on their cell phones and attempts to navigate the complex world of Bitcoin payment, ransom negotiations and the dark side of the web.

On this day, 674 employees across the United States opened the email, clicked on the bogus pdf and watched helplessly as their businesses ground to a halt. The Jigsaw Gang earned an average of $750 per transaction and put $505,000 in untraceable monies into their bank account.

Cyber Security is often times overlooked by business owners. But in today’s digital world, cyber attacks pose one of the most deadliest threats to the health of your business. Take action by protecting your business and your customers from the very real threat of a ransomware cyber attack.

Cyber Liability insurance can cover a variety of both liability and property loss. The threat landscape is changing at a rapid rate. Fortunately, Mountaineer Insurance Services cyber risk policy options are expanding as well. We also offer security training and encourage our clients to carry out “penetration tests” that use social engineering techniques to help train their employees and discover any vulnerabilities in their infrastructure.

Visit any one of our six locations in east central West Virginia or email us to make an appointment.