A few months ago, a customer called the Gordon Flesch Help Desk to say she couldn’t open a file on her server’s shared drive. She also noticed that the file extension on the spreadsheet she was trying to open had been changed from .xls to .payday.
While this might seem like a rather mundane problem, the customer support representative immediately recognized it as a telltale sign of a particularly dangerous digital virus known as ransomware. You might recall a similar ransomware attack that crippled England’s National Health Service, shutting down some hospitals for days.
The support representative escalated the call to our Managed IT support specialist team where I serve as a lead and I spoke with the customer. Turns out, the company was the latest victim of a variant of the virus called CryptoLocker, which the New York Times described as “a particularly ruthless ransomware program.” I instructed the customer to quickly log off any computers and servers.
Nice Try, Starforce
After remotely logging into the customer’s network, I found 156,000 files on the company’s data server and 2,282 files on the company’s terminal server that had already been corrupted and encrypted. Upon further investigation, the following text file was discovered — a digital ransom note with a return address:
all your files have been encrypted
want return files?
write on email: firstname.lastname@example.org
This type of ransomware spreads through emails or weblinks that look like they’re from legitimate businesses, including fake tracking notices from FedEx and U.P.S. Once inside a network, the virus can spread from one system to the next, usually through mapped shared drives. This particular attack didn’t expose personal data, so there was no risk of a HIPAA breach or of anyone accessing medical files. But, as it spread, the software locked up computer files behind unbreakable encryption.
Ransomware can do incredible damage, and this was among the worst types of ransomware I had seen. The good news is that we were running hourly backups for the customer, which means they could recover from almost any type of disaster.
To recover the customer’s systems, the Continuity247 Backup and Disaster Recovery (BDR) solution was implemented to restore the organization’s servers back to 10 a.m. that morning — a time before the infection occurred. Within an hour of discovering the attack, the company was able to resume working using a backup copy of their environment. If the infection had gone unnoticed or this company had not been running hourly backups, the attack could have been much more devastating and incredibly costly.
7 Signs Your Computer Has Been Hacked
As a Support Team member with Gordon Flesch, I’ve seen all kinds of ransomware, spyware, hacks and attacks against our Managed IT customers. Ransomware is just one kind of attack. Both novice and savvy computer users should watch for these common signs that a computer, network or organization has been hacked.
1. Fake antivirus messages. These are a common sign of an intrusion. Know what type of antivirus software you are running so that you know what an authentic alert looks like. Do not click on suspicious pop-ups; it's often a scam to get you to release credit card details in a panic to get rid of viruses on your computer. Hackers may also use malware to disable your antivirus software defenses.
2. Unusual disk activity. If your computer hard drive or cooling fan whirs incessantly, it could mean malware is looking for data to damage or steal.
3. Friends and contacts receive strange messages from your email account. It’s a sign you‘ve likely been hacked or spoofed and a program is using your contact list to send phishing emails.
4. Passwords aren’t working. There’s a good chance you’re not being forgetful; someone may have compromised your security. If a password suddenly stops working, it could mean a hacker has broken into your computer and changed your account's login details. It could get worse from there by signaling that your information was compromised either from your devices or from another source — perhaps from a hacked retailer, bank or web merchant. Unfortunately, many people don’t know they’ve been hacked until they get an alert from their bank about unusual activity. Be vigilant and watch for online activity or purchases you haven’t authorized.
5. Unwanted browser toolbars and popup ads. When these annoying items refuse to close or go away, it’s typically a bug and not a feature on a website.
6. Unwanted software installations. These may appear on your system and are another common symptom of a cyber infestation.
7. Redirected web searches. Be cautious of web pages that send you to sites that look suspicious.
Unfortunately, many types of attacks are subtle and difficult to identify. Sophisticated hackers can break into an organization’s network undetected and remain there for a long time. Once an access point is found, they can surreptitiously sneak into your network again and again or just silently snoop on you, collecting sensitive and valuable information. In addition, IT departments often don’t defend printers and other connected devices with firewalls or other safeguards. That means a printer, especially older models that lack newer security features or aren’t password-protected, become a backdoor for hackers to steal confidential information.
To identify and spot more subtle or sophisticated attacks, many organization will need a Network Intrusion Detection Systems (IDS) which, as the name suggests, are automated systems to detect and prevent network intrusions. There are usually two systems working together: IDS is a monitoring and alert tool that provides a warning of an attack, while an Intrusion Prevention Systems (IPS) acts to prevent or stop an attack. Logs should also be regularly monitored for signs of attacks, intrusions and other security-related events. Ongoing log monitoring should cover sources such as network devices, firewalls, operating systems, authentication and access control systems, applications and security software.
Fortunately, the IT experts at Gordon Flesch can help you run a full security sweep of your network, printers, computers and mobile devices to identify threats and weaknesses. Contact the Gordon Flesch Company for a no-cost assessment and to learn more about how our Managed IT services can help secure your local or Cloud-based IT infrastructure.