How Wildcard Protects Clients from Ransomware

Published May 22, 2017

Ransomware has been in the news a lot lately with the recent, widespread attack that affected more than 200,000 people in 150 countries around the world.

As a cybersecurity firm, we have a lot of experience dealing with and stopping cyber attacks like these, and we thought this would be a great time to share a story about how we saved one client a lot of time and money when they were hit with a ransomware attack.

For this particular client, we were in our first month of deployment and still in the process of setting everything up. One of our technicians happened to be on-site performing the deployment when the attack was discovered.

People were having trouble accessing files on their computers, specifically Microsoft Excel files. While trying to discover the problem, our technician noticed the file extensions had been changed from .xlsx to another extension that couldn’t be opened. Other folders in the same directory tree were showing the same thing. At that moment, we realized that they were currently under attack and ordered an immediate and emergency shutdown of all their systems.

Luckily, we had performed backups of the files on their network the night before, so we were able to restore their system from that backup. Instead of losing years of data, they lost about four hours of work. What’s more, they didn’t have to pay a dime in ransom money.

How important is it to be protected like this? A week later, a hospital was in the news. They were hit by ransomware and had no protections, so they were forced to pay around $17,000 to recover their data.

Where did the attack come from?

As it turned out, one of our client’s senior staff members had been getting an error message for several days before the attack was noticed. The message kept coming up, but they didn’t understand what the error was, so they ignored it. This was the ransom notice.

This staff member was still on an old machine without any of our protections on it, and none of the files on it had been backed up to the network. We were able to clean the virus off of the computer, but we were unable to restore any of the data.

The attack began when the computer was connected to the network. Unknowingly, the virus was unleashed into the system. Unfortunately, since the user had extensive permissions in the system, the virus was able to spread into a lot of different parts, making it imperative that we had backup snapshots of the entire system.

What did we do to protect them from future attacks?

Without handing out the whole recipe for the secret sauce—the keys to the kingdom—as it were, we can say that we restructured their permissions so that if another attack occurs, it will be much easier to contain. This is called a “least privileged” access policy, where users are only given access to the parts of the system that are absolutely necessary for their jobs.

We also installed anti-virus software and implemented a new file system that would allow us to recover more quickly from an attack. This will get them back to work having lost as little time as possible.

Personal files are now backed up on their network as well. This way, if one person’s computer is infected, all their important data is stored on the network where it can be recovered.

Without our security experience, this client could have lost years of data, paid thousands of dollars in ransom money, or possibly even both. This is why it’s so important to have someone looking out for you, no matter how unlikely an attack may seem. Recent events have shown that no one is immune, and an attack can come at any time.