What Does a Ransomware Attack Look Like?

With the recent ransomware attack on the Colonial Pipeline in the news, it is important that we acknowledge potential exposure regardless of the size of the organization and be proactive in minimizing risk.

The Attack

Here is an example of what we ransomware it looks like and how easy it is for an attack to occur. This example came from an HR Department where the director was looking to fill a position for the company. She posted the job listing on all the major job sites. One of the responses contained ransomware.

The attacker was looking at the job posting sites for ads that looked interesting. They found this company and replied to the job posting that the HR director had put online. The message looked like it came from the job posting site with an attachment titled resume. The email was sent directly to the HR director’s email address which was on the job posting.

Wanting to look at all potential candidates the HR director clicked on the resume but nothing happened. She clicked on the resume a second time and a third time and still nothing happened. Not wanting to miss out on a candidate she sent the email to four coworkers asking them to open the document and print it out for her. None of her colleagues had any success in opening the document. They decided not to worry about it and move on.

A few weeks later the HR director and her colleagues who had tried to open the email were greeted with a welcome screen on their computers stating that they had been infected by ransomware.

The Result

What ransomware does is it encrypts all the data that is on your computer. Next it looks at any computers that you are connected to and encrypts all the data there as well. It holds you hostage requiring you to pay for an encryption key to get your files back.

At this point you have four options none of which are good.

  1. You can restore files from your backup provided your backups are not infected.
  2. You can do nothing look at it as a a loss and move on. This is not a good option unless you really don’t have any important data in stored on your computer systems.
  3. You can pay the ransom. This option is not recommended because it has a very low rate of success.
  4. You can find a third party who can decrypt the software and work through it to restore your files. This option also has a low success rate.

The company in this example chose to restore their files from their backups. They were fortunate that they had backups that went back further then the date of the attack. However, the employees that were infected lost two weeks of productivity not to mention the cost for the IT Department to remedy the situation taking down their servers and restore all the encrypted files. Once you start adding all these factors, ransomware becomes very expensive even if you don’t lose any of your data.