Encrypting Ransomware Hits Small Business

Client Name: (business name removed)
Service Details: Business client, on-site consult, on-site support
Problem and Request: Client reported that they were seeing “ransom” messages appear on their computers, and that they couldn’t access files because they had been locked by a virus. They needed help restoring access to their files and securing their IT environment.

Solution and Result: The call came from a small business client (a survey company with under 25 users) reporting file access problems. They described what had happened: their bookkeeper suddenly couldn’t open any documents, and soon after that other users were complaining that they couldn’t access their files.

We suspected that it was an encrypting ransomware attack when the client told us that the bookkeeper’s PC was displaying a message with instructions for acquiring Bitcoins to pay for a “decryption key.” Even worse, the client’s main file server appeared to be infected – and they didn’t know if they had working backups of their data.

This was not a good situation for any company to find itself in. Without going into all of the technical details about what happened in this blog post, suffice it to say that the survey company experienced several days of downtime, lost data, lost productivity, and lost revenue.

Particularly notable was the absolute chaos inflicted by the ransomware attack. The victimized company was completely paralyzed: the ransomware not only infected/encrypted the files on the bookkeeper’s PC, but had also spread through the network shared folders and began encrypting documents on the company’s main file server (fortunately, one of the company’s database programmers recognized the attack and had pulled the power cord from the file server mid-infection, limiting the damage).

It turned out that the company had a cloud backup, but the roughly 1 TB of data took days to download via their slow Internet connection. The company’s lack of an adequate backup/disaster recovery (BDR) solution, combined with little to no IT documentation made the attack extremely difficult to recover from.

Author: Kevin S.

Kevin Sanders is a Los Angeles native who has worked in tech support and customer service since 2000. He specializes in professional IT consulting, cloud technology, cyber security, networking and Wi-Fi, hardware/software diagnostics and repair, and custom systems building.