Rescued From Ransomware

Who doesn’t look forward to a holiday weekend, right? At exactly 12:30 pm on Friday July 2, 2021, as our employees were in various stages of winding down the week before the long holiday weekend, everyone working on their company computer, via VPN or in the office, was suddenly looking at a black screen. Suddenly, dozens of urgent calls were being made to both myself — the CFO — and our controller as we scrambled to get in touch with our IT support firm TechBLDRs.

Most of us got an early start to the 3-day weekend as we learned that we experienced a ransomware attack from a major Russian-based ransomware syndicate called REvil. Some cybersecurity researchers predicted the attack targeting customers of software supplier Kaseya could be one of the broadest attacks on record, impacting businesses around the world.

The scheme was quite impressive; targeting the software used by many IT service providers to remote into their clients to provide support. So, despite all the training, updates, warnings, and reminders we provide our employees, the ransomware came in through the back door, not by an employee hitting a link they shouldn’t have.

Some interesting excerpts from the text message we received from REvil, (typos and bad grammar included):

  • “By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER)”
  • “Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests.”
  • “To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.”
  • “Just we have the private key. In practice – time is much more valuable than money.”
  • “ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.”

TechBLDRs worked closely with the folks at Kaseya, who were under siege. The president of TechBLDRs, Joe Awe, made the decision that saved the day: don’t wait for Kaseya to come up with the solution.

On Saturday afternoon, a 5-minute video was emailed to our employees explaining the situation, and making it clear this only impacted laptops and desktops with access to our in-house network files, not cell phones or tablets. The video explained how to tell if your computer was infected by looking for a readme file in your hard drive, along with simple instructions about how to nullify (not eradicate) the infection by deleting certain files that were planted.

If you are a CFMA member login to continue reading this article. If you aren't a member yet and would like unlimited access to all of the content on cfma.org, plus a variety of other benefits, join CFMA today!