How a small Canadian company fell victim to ransomware

A Southern Ontario executive recently victimized by ransomware thought he was knowledgeable about computing and security. But curiosity got the better of him last month and he opened an email attachment.

“I was an idiot for checking on it,” Robert said Wednesday, who asked that only his first name be used and the company not identified to protect the firm against possible further attacks.

However, his story is a lesson on why having a robust backup and recovery strategy and regular awareness training is vital at a time when ransomware – whether targeted or not – is spreading.

According to a study released Wednesday by backup provider Datto of 1,100 Managed Service Providers (MSPs) in the U.S., Canada, Australia, the U.K., 60 per cent of respondents said their customers said they had suffered up to five ransomware attacks in the previous 12 months. Forty per cent reported six or more attacks.

Thirty-one per cent of IT service providers said there had been multiple ransomware attacks against small business clients in a single day.

In Robert’s case he had just become head of a small company, which included taking over the previous executive’s email account.

Going through the mail that first morning last month there were a number of messages such as “Here is the financial statement you wanted,” with attached invoices or spreadsheets which. Robert thought some might be for the former executive and should be forwarded. To be sure, he scanned one file with anti-virus software that had a .DOCM extension and found no warnings. Then, to make certain the message was for the former exec, he opened the file.

At first, there was only a blank document. “I began to smell a rat,” Robert said. Shortly afterwards a ransom message popped up demanding payment in Bitcoin if he wanted encrypted files to be released.

“I didn’t believe it at first. I thought it was something to trick you into downloading an anti-virus program.” But then he checked his PC’s directories and found all files had been renamed with .Zepto extension, meaning they had been encrypted with the Zepto ransomware. Also infected were attached drives, including the company’s servers and several PCs.

The DOCM file was a Microsoft Word macro that delivered the payload.

According to a recent blog from security vendor Sophos, Zepto ransomware has been seen increasingly since July, usually with ZIP or DOCM attachments. The ZIP file contains a Javascript file that downloads the ransomware. Sophos says Zepto has a lot of similarities with the Locky ransomware.

In Robert’s case, fortunately his company had a strong backup provider who within hours was able to restore the server. His computer, however, had to be wiped and several files were lost.

“It was my first 10 minutes (in the new job) going through these emails,” Robert says in his defence, and he scanned the file – but he also kicks himself for not being careful enough.

He did one thing right before clicking on the Word documents, doing a lookup to see check the message sender; but it looked legit. On the other hand, the message wasn’t personally addressed to the former exec. Another clue was that it would be unusual to send a “financial statement” to this particular company. A third reason to be suspicious is that a DOCM attachment is a signal it has a macro.

Having anti-virus software isn’t a complete defence against any type of malware, particularly signature-based AV, which is why regular awareness training is vital along with a backup and recovery strategy. That strategy could include real-time backup if necessary, as well as ensuring the backup is not on a network drive that could be infected.

An email gateways that scans and quarantines malicious attachments is important – and if it slows mail, tough.

In addition, Sophos recommends IT set browsers to open .JS (Javascript) files to open in Notepad, to set Windows show file extensions, and set Microsoft Office to not allow macros in documents from the Internet.

And having all staff be vigilant is essential. “In the same day I might have four or five” suspicious emails with slightly different senders, says Robert. “Now I know what they look like I either mark them as junk or delete them.”

“If you’ve got mission critical data is worth having a proper backup solution,” he says. “and never click on anything with DOCM and be careful with ZIP files.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now