WBA Deals With Ransomware

The events described here took place during the same time period as WBA's encounter with ransomware. This is a prime example of why there is no substitute for preparation.

"The Los Angeles Community College District (LACCD) paid a $28,000 ransom in bitcoins to free up the Los Angeles Valley College campus’ network, e-mail, and voicemail systems, which were targeted during a winter break when the campus was closed.

According to a Wednesday statement from an LACCD spokesman, district officials concluded that it was worth it to pay the ransom—in part, because the district has an insurance policy that covers such incidents.

“It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost,” LACCD Chancellor Francisco C. Rodriguez said in the statement. “After payment was made, a ‘key’ was delivered to open access to our computer systems. The process to ‘unlock’ hundreds of thousands of files will be a lengthy one, but so far, the key has worked in every attempt that has been made.”"

*Excerpt from http://arstechnica.com/tech-policy/2017/01/la-community-college-paid-28000-to-free-itself-from-ransomware/

 

Under Locky and Key: A Ransomware Tale from the Trenches
[Reprinted from Issues & Answers; written by Duncan Taylor, WBA Director of Operations]

Locky. It sounds like such an innocuous name for a piece of software, right? Like it should be the old Windows 95 office assistance Clippy’s counterpart – Clippy helps you with documents, Locky helps keep you secure.

Sadly, Locky is anything but benign. In fact, it’s a piece of insidious malicious software known as ransomware. And on December 21, 2016, WBA was struck by it.

It arrived disguised as a shipment update from UPS. Ordinarily, our enterprise level spam filter would block a message like this, but it happened to be constructed in such a way as to appear legitimate. The user who was targeted had actually ordered something online recently, and in a moment of inattention that could easily befall any other user, clicked on the link.

Invisibly to the user, Locky had its attack vector, and quickly installed itself on the user’s machine. Once installed, it began encrypting everything on that user’s local hard drive, from documents and pictures, to driver and system files. It changed the user’s desktop background to a ransom note, and then it found the criminal’s dream stash – our networked file share. The virus began encrypting those shared files too.

The first file to be locked behind industrial-grade encryption on our network share was targeted at 9:47am. I was first informed of the issue at approximately 10:30am. The user had noticed some strange files in one of the directories they needed to access on our network share, and wanted to know if it was just them, or if I saw it too. I navigated to the directory in question, and saw a string of file names like 11111111--1111--1111--FC8BB0BA--5FE9D9C2B69A.osiris.

The next word I said is generally unacceptable in the workplace. I knew immediately that we were looking at ransomware, and the most important actions to take would also be the most time-sensitive.

I’ll spare you the gory mitigation details and skip straight to this story’s happy ending. All told, WBA lost nothing but a few hours of time. No long-term damage, no breaches of mission-critical data, and we were back to 100% functionality by the end of business on Dec 21.

How were we equipped to navigate this storm? As with most things, the separation is in the preparation. Two years ago, WBA began a partnership with SBS Cybersecurity, a firm that provides certification and training to financial industry professionals and boards of directors on all matters relating to cybersecurity. To test the quality of their materials, I went through their Certified Banking Security Manager certification program, which prepares industry professionals for exactly this scenario (among numerous others).

In addition to our cybersecurity training, WBA employs redundant, asynchronous backup mechanisms, and utilizes industry best-practices for data storage and maintenance, including processing all payments out-of-scope with a PCI-compliant vendor – we store no PII on our network. We have a disaster-recovery and mitigation plan in place, and we test it biannually with our respective vendors. And finally, we have an endorsed vendor in PayneWest Insurance, who protects the Association in the unlikely case we ever do suffer a financial loss as a result of cybercrime.

The lesson here is that there is no substitute for having a plan in place for any conceivable scenario. In this modern age of cybercrime, it’s no longer a question of if your organization will encounter an attack on your assets, but when it will occur, and how you will respond. Thanks to both SBS Cybersecurity and PayneWest Insurance, WBA was able to protect and preserve both our data, and our ability to serve you.