How to survive a ransomware attack and live to tell about it Live IT! How to survive a ransomware attack and live to tell about it
Here’s How it happened – Friday 01/26/18 Mid-afternoon an employee clicked on an attachment on what appeared to be a legitimate email from SDE. All emails, especially with attachments, should be carefully scrutinized If the email is sent from someone that doesn’t seem legitimate, DO NOT CLICK on it. No action Friday or over the weekend.
January 29 am – The discovery
Oh heck *&*%*&*(( – what now? Immediate contact with SDE Security Office, SLED, FBI Almost all servers (70 of them) and Internet were disabled districtwide – Powerschool is hosted – no loss to student data; some phone service down; communication was by cell phone Encore Technologies contacted to access damage 9:00 briefing with Superintendent and Senior Staff Encore discovered all servers were backed up with the exception of the Domain Controller
Oh heck *&*%*&*(( – what now? II 2:41 Made initial contact with Dyno Dan (the perp) – How much would it cost to unlock files 3:00 – Second briefing by IT director to Superintendent and Senior Staff Two options Pay ransom or Rebuild domain controller from scratch Contact with SCSBIT on Cyber Coverage – we were covered Contact with bank to set up separate account 6:26 pm Dyno Dan responded with demand – 1 bitcoin - $11,000
Ransom request and response
What is a bitcoin and where do you get one? What is one? Is a crypto-currency and worldwide payment system. It is the first de- centralized digital currency, as the system works without a central bank or administration. DynoDan was kind enough to give us several examples
What we did Encore provided us with name of US bitcoin company located in Arizona Contacted bank to create separate and distinct account specifically for paying ransom District was prepared to have cashier’s check cut for ransom to deposit into separate account Financial consultants secured bitcoin on our behalf
The negotiation and stall (It’s still only Monday)
It’s now tuesday 9:00 am Briefing by IT Director to Superintendent and Senior Staff Encore light bulb went off Domain Recovery From 9:00 am til 9:00 able to recover the domain controller but not the group policy At 2:30 pm we sent 3 files for a free decryption By 5:00, district had secured a bitcoin for ransom At 9:30, it was decided to not pay ransom, go with recovered server and build the group policy from scratch At 10:48 pm DynoDan responded with our 3 files to test
It’s finally Wednesday All services are still non-functional Successful backup from Tuesday night - Domain controllers were able to replicate to all school domain controllers 9:00 am briefing with Superintendent and Senior Staff and advised no ransom would have to be paid Systems were slowly restored one at the time.
Thursday IT staff brought up individual district office PCs with Internet – schools were still unable to access First day district was able to access accounting software since previous Friday. Slow Recovery Day
Things to think about - til Does your district have adequate backup for servers? Is your PowerSchool on-sight or hosted off-site? Do you have Cyber Insurance Coverage? Is your accounting software on-sight or hosted off-site? How would you run payroll or AP? An Emergency Procurement? Does your district have P-card or credit cards for emergency purchases? Do you know how to purchase bitcoin? How long does it take?
TIL - continued How is our point of sale for food service affected? Keeping attendance Fall back plan for classroom instruction Is your cell coverage adequate for communication purposes? Does your district have an IT expert you can lean on?
Encore to the Rescue YES – it CAN happen to you Security – STOP using passwords. Start using passphrases Disaster Preparedness – When is the last time you tested your backups and procedures? Leverage your partners
questions