Percept Research discovered late Friday night on February 3, 2017 that our servers were hacked by criminals located in Russia. Our web and file servers were attacked by the ‘Al Narood’ virus that stealthily infects a computer, encrypts data files, and blocks access. This form of attack is called ’ransomware’ because it renders computers unusable unless victims are willing to pay an extortion fee and obtain a decryption key to unlock the machines.
This attack made our parent website, data files, and all of our client portals unreachable. Our payment systems were not affected as they are hosted on a different system. The hackers demanded that we pay a monetary ransom to receive the encryption key to unlock the files. There is no evidence to suggest the hackers pulled any information from our servers, but rather encrypted the files on our servers for ransom purposes.
Our Crisis Response
Percept Research immediately established new servers with limited access to data archives as a short-term solution while we worked to restore our service and data completely. We attempted to recover data from our most recent weekly backup files, but we discovered that those files had been encrypted as well.
Concurrently, we directly alerted clients currently fielding surveys and explored engaging a third-party firm specializing in decryption. Dozens of software companies advertise solutions for ransomware but only a few acknowledge success.
We engaged a decryption company to help us recreate the key needed to access our files. After ten business days of examination and attempts to decrypt our systems, the software firm alerted us that we were infected by Al Narood 2.0 with no known remedy. Al Narood 1.0 was thwarted at the beginning of 2016, while the 2.0 version was released in September 2016.
We also notified the FBI and local authorities regarding the incident. Unfortunately, these criminals often operate outside of the United States, making detection, identification, and prosecution nearly impossible.
Seeing no other option after the failure of decryption, Percept Research elected to pay the ransom to gain access to the data files. Of course, paying up the ransom does not guarantee decryption. In fact, we were alerted that even if the hackers did provide the decryption, there is a great likelihood that only 40% of our data would be useable as the virus often corrupts data that is in use during the encryption process.
Upon our follow-up inquiries to pay for the decryption key, the hackers doubled the ransom. At this point, we ascertained that the hackers would most likely not provide the decryption key regardless of payment. Coupled with the length of time that had elapsed since discovery and the additional amount of time that would be required to restore and manually compare files if the key was provided, we decided to move forward with restoring as much as we could to our servers forgoing any more attempts to secure the decryption key. The only bright side to this is that the Percept Research team kept reports, survey instruments, and other work product on their local machines so we could recover most information.
Through much effort by our entire team during February and March, we performed the restoration without losing any reports that could not be recreated. However, we were not able to recover data for surveys that had not yet closed their fielding during January 2017 and had already contacted those clients. We very much appreciate their understanding and patience during this ordeal.
Prevalence of this type of attack
Ransomware became a popular online weapon in 2014, and it has targeted hospitals, police departments, schools and corporations. This type of online extortion has skyrocketed. Cybercriminals collected $209 million in the first three months of 2016 alone by extorting businesses and institutions to unlock computer servers, according to the FBI. At that rate, ransomware is on pace to be a $1 billion a year crime this year.
The agency also said that the losses could even be bigger once other related costs from these extortion schemes are factored in. Additionally, many victims may choose to pay and not report the crime. We felt it was important to be transparent for our clients and share our experience in hopes that others can prevent this type of crisis in their organizations.
Conceivably, every business and consumer connected to the Internet is a potential target for ransomware perpetrators. Almost two-fifths of businesses in the U.S., Canada, the U.K., and Germany have been hit in the last year by a ransomware attack, according to a survey by security firm Malwarebytes. Ransomware hackers are rarely identified and almost never caught.
How do we prepare for a ransomware attack?
The ransomware pops up in emails, photos, Internet links and "dozens" of other ways. So how can organizations protect themselves from ransomware?
Offline Backup System
The primary measure is to maintain frequent copies of critical files. However; as with our incident, any servers or other backup sources connected to a network will probably be infected as well. Thus, it is best to back up onto a separate source or a cloud storage service.
One of the most critical (and expensive) solutions we have implemented is a complete backup server that is ready to recover at a moment’s notice, and stores offline backups every 5 hours. Our new system is designed such that the backup server is ready to take over if our primary server is rendered offline and create a new backup server to take its place.
Install Anti-Malware Software
Another preventative measure is to keep operating systems, browsers and plug-ins, especially Flash and Java, up to date. Antivirus software adds another must-have layer of protection. While it seems a basic tenet to have antivirus software installed, the type of software used is extremely important. McAfee, Norton, Bitfender, Kaspersky and TrendMicro are some of the top-rated brands. We recommend steering away from free antivirus software. The term ‘virus’ is often used as a generic reference to any malicious code that is not, in fact, a true computer virus such as a ‘worm’ or ‘Trojan’. We recommend Malwarebytes Endpoint Security for this type of malware prevention.
Since ransomware will often encrypt all files other than needed operating system files, we also installed a security tool called CryptoPrevent. CryptoPrevent works by blocking the execution of programs from certain locations within the computer’s operating system -- locations that are not normally used by legitimate software. It uses hash definitions, program filtering and logic based on certain attributes of executable files to determine whether it should be launched on the system.
Change Default RDP Port
One of the most common ways for ransomware to attack is through the remote desktop protocol (RDP) port. We would recommend changing RDP to use a non-standard port other than the default 3389.
Improve Spam Vigilance
Many experts urge everyone in an organization to be extra vigilant for spam, even if it looks legitimate, and to never download an unknown file. Some companies run drills, sending employees fake emails to see how many get fooled. It is best to use this approach as a teaching moment, not a shaming moment. The Malwarebytes survey indicates almost half of ransomware attacks originated from employees clicking on something they shouldn't have in emails—this was a particularly successful tactic in the U.S. and Germany.
Implement More Stringent Password Policy
Lastly, upgrading your organization’s security policy regarding the password complexity is critical. In practice, eight characters with a mix of upper and lowercase, numerals and symbols is usually the minimum requirement for lower threat level websites and applications. With modern cyber hacking techniques, a minimum 10-character password requirement is becoming more common for systems that house important data.
Increasing the number of characters in a password dramatically improves security. Every additional character increases the number of possible combinations exponentially, making brute-force attacks on longer passwords far more difficult, and ultimately impractical, for hackers to crack.
It is highly recommended that password composition is completely random versus dictionary words. For instance, ‘$ue1sGre@t!’ is a good password, but the fact that it says, “Sue Is Great,” is less secure than a random mix of characters against a brute-force attack to discover these characters.
Thank you to our Clients!
We apologize to our clients for the extended downtime and the time it took to regain access to past reports and ascertain the disposition of surveys that were currently fielding when this incident occurred. Percept Research has operated as a 99.9% uptime service since 2003 without many hiccups. The root cause of our outage and data loss was both difficult to predict and the nature of the outage is extremely rare. This type of incident is unlikely to recur with the new prevention measures we are implementing.
We would also like to thank our clients for their patience during the recovery and for working with us individually to expedite the recovery process.
The privacy, security and confidentiality of the information collect for our clients is a top priority for everyone at Percept Research. We felt it was important to be transparent and share our experience in hopes that our readers will avoid a similar situation. If you are interested in a more detailed background of this incident and our process to recover the service, please reach out to us.
By-line:
Brian Mahoney and Mark McQuail, co-authors for this article, are Managing Partner and Director of Operations, respectively, at Percept Research. They welcome your questions and comments.
