An Admin’s Worst Nightmare (AKA Cryptowall Gotcha)

Sometimes not using best practices gets us.  Other times it is fatal.

Check out this article about an admin who had his (or her) entire universe fall down around his/her ankles.

The article shows how, in this case, not following best practices was more than a little inconvenient.

The admin was reading his email, apparently with admin privileges and with links to all the disks on his or her entire server farm with write privileges (this sentence is wrong on so many levels – kind of like a to do list of what not to do).

Then this admin got phished.  Some phishing attacks are bad.  This one was worse.  The attack was a cryptowall attack and before he or she knew it, the entire production server farm was encrypted (at least it is now secure).

The entire organization was dead in the water.  This included the public facing side of this unnamed US based non-profit with hundreds of employees.

They did have backups, but not all of them had been tested.

In addition, even if the backups worked, it would take days to restore.

Sooooooo, they decided to pay the ransom (which was very low – a strategy that the attackers play to their advantage.  If they wanted $10,000 you might think twice but if they ask for $500, you might say what the hell.)

The good news here is that they got the crypto key from the attacker (which does NOT always happen) and were able to decrypt the files in a few hours.

This is a great lesson for people who take the opportunity to learn.  Learning from OTHER people’s mistakes, in my humble opinion, is the least painful way to learn.  As long as we don’t say that we will implement the lessons another day.

Mitch Tanenbaum

by