A major Canadian company was forced to pay $425,000 in Bitcoin over the weekend to restore its computer systems after suffering a crippling ransomware attack that not only encrypted its production databases but also the backups as well.
“They literally had not choice but to pay” because the backups were frozen, said Daniel Tobok, CEO of forensics firm Cytelligence, which is helping with the investigation.
Tobok wouldn’t identify the company for reasons of confidentiality. He believes it to be the largest ransomware payment in Canada to date. By comparison last month a South Korean Web hosting firm reportedly paid the equivalent of US$1 million in ransomware, believed to be the biggest publicly reported payment so far in the world.
Although the forensic investigation is in its early stages, the attack was very sophisticated. It started with spear phishing targeting six senior company officials who were sent a PDF attachment with a malicious payload.
Staff apparently fell for two old ploys: Two of the messages purported to be from a courier company and told recipients the attachments were invoices for packages to be picked up, while the other messages asked officials to open and print the attached document. That led to the insertion of malware.
“It appears from early investigation there were vulnerabilities in unpatched systems in their Windows environment,” said Tobok. “They had a couple of outdated database servers that had not had all the recent patches on them.”
It is believed the attackers then spent several months hunting around the network to find data stores before releasing the ransomware, which spread across the corporate network including backed up data.
“They knew where the databases were, the confidential information,” said Tobok. “They knew everything.”
Before handing over the money the company demanded the attackers prove they had the decryption key.
The incident is another warning that Canadian organizations aren’t immune from being attacked.
The early lessons from the attack, Tobok said, are if the CIO/CISO can afford it have third party do a full penetration test. “A real security audit would have discovered some of these vulnerabilities,” he said. “You can never control phishing because that’s a human element,” he said, although adding that awareness programs are still essential.
Another lesson apparently is to ensure backups aren’t connected to the primary system.
And, as Tobok says, “patch, patch, patch.”
At this stage, Tobok said, no enterprise should be caught off guard by this kind of attack. “When you look at [recent ransomware attacks] Petya, WannaCry, if that’s not a wake-up call for companies I don’t know what else is.”