More Ransomware – Jeez, I’m getting sick of this topic!

Gavin Livingstone, Bryley Systems Inc.

Guess what:  Cyber crooks are killing it!  According to Kaspersky Labs, over 700,000 people late 2015/early 2016 gained the privilege of stress-testing their backup strategies or forking over money (and a comment on their vulnerability) to some overseas creeps who view every server and workstation as a potential cash cow; this was 5x the amount of people reporting similar issues in late 2014/early 2015.  And, the attacks are getting more sophisticated, and much more effective.

Sure, it is constantly in the news and we are all concerned, but many of us are like the proverbial Ostrich, sticking our proverbial (yes, I meant to repeat proverbial; I like the way it sounds; proverbial, proverbial, proverbial) heads in the sand.  And, it is costing us significant money!

To recover from Ransomware, we recommend backups that follow the 3:2:1 rule:

  • Three copies of your data
  • Two media types
  • One offsite

This simple rule, when followed diligently using a professional-grade backup application with at least daily, monitored, encrypted backups, can save your data from Ransomware, disasters, and other ills.  (Windows Server Backup, although improved, is not a professional-grade backup application since it lacks logging, which can lead to unintended consequences, particularly when swapping backup media on a daily basis and trying to verify previous, good backups.)

Case in point:  We saved an organization that relied on Windows Server Backup with a single, attached USB drive (no media swapping). It was attacked by Cerber Ransomware, which was inadvertently downloaded to the Windows PC of a user with administrative rights.  (Cerber Ransomware is licensed to cyber-criminals, who pay royalties for its use; these royalties are sent back to its originators in Russia.  It emerged in March 2016 and has recently targeted Microsoft Office365 users.)

The virus on the server went to high-value accounts, concentrating on encrypting data and Windows Server Backup files while making it appear that all files within most folders were already encrypted (although only about one in 10 had been encrypted initially).  Some interesting points:

  • The virus was injected into User Accounts in their AppData/Remote folder, which executed when the user logged onto the network.
  • Over 25,000 data files in about 1500 folders were encrypted.
  • All Windows Server backup files on attached drives were encrypted and renamed to @@@@@@@@.server with the current date or no date.
  • The requested ransom was $2,000; 2.725 bitcoins.

In broken English, the attackers noted:

  • “You have turned to be a part of a big community #CerberRansomware.”
  • “…we are the only ones who have the secret key to open them (your files).”
  • “Cerber … is not malicious and is not intended to harm a person…”
  • “…created for the sole purpose of instruction regarding information security.”

The upshot:

  • We rebuilt the server and reintroduced it to the network.
  • The Network Administrator’s workstation was wiped clean and rebuilt.
  • With significant effort, we recovered 90% of the company’s original data.
  • We now professionally backup this site using our remote Bryley BU/DR.


  • Anyone and everyone is a target; these criminals are happy to get a few hundred dollars each from millions of potential “customers”.
  • A solid backup plan is only one step in your line of defense; security requires a multi-layered approach.
  • Don’t pay cybercriminals; one Kansas hospital paid the ransom, and was told to pay again! Plus, you become an unwitting target for future attacks!

Please see these issues of Bryley Tips and Information (BITs):

Please also see Cyber-Security Firm:  Crypto-Ransomware Infections have reached Epidemic Level by Jonathan Keane of DigitalTrends on 6/24/2016.