IT Group was approached by a School who had found their IT systems to be infected with ransomware. This malware attack had, thankfully, not affected any student data, but had succeeded in encrypting all of the accounting files used to balance the school’s books and pay staff. The damage, while not business-crippling, had the potential to cause many issues that would cost both money and time to solve; luxuries that the education sector cannot afford.
By infiltrating one user’s account, the ransomware took hold of that user's files, encrypting them one-by-one before moving through the user’s network shares, ticking off a variety of areas on the school’s server. Upon calling IT Group, we were instructed to perform a forensic recovery where possible, and a Penetration Test to ensure that, however the ransomware had got in, would not happen again.
The Penetration Test showed the school’s network to be in desperate need of locking down, with several vulnerabilities that would allow easy access to the school’s network from anywhere on the internet. A meeting and a report followed, with the result being a full rebuild of the school’s entire IT architecture, with a more secure infrastructure in place that would more successfully defend against any attacks on their network.
The school utilised an outsourced IT support company and due to this they had little knowledge of the architecture and ‘ins and outs’ of their own systems and networks. Despite this, the school relied upon the contract that had been drawn up between the school and company that specified the terms that the IT support company would provide.
Despite this agreement, the IT company hadn’t taken a correct backup for months, a fact they only discovered once the ransomware had finished encrypting the vital files required. As this was their first experience of an IT incident, the school called the IT company to inform them of the ransom, where the IT company advised them to pay the ransom, and even set up an email address ‘on behalf of the school’ to negotiate directly with the ransomer to attempt to get a lower price.
The school approached the Police who advised them against paying the ransom, especially considering this will involve using Government money to financially aid criminal activity, ultimately encouraging further activity - all without the guarantee of gaining access to the files that had been lost.
IT Group attempted to retrieve the data through the recovery of the unallocated sectors of the drives but this had also been overwritten by the malware. It is very rare in these circumstances that the information can be retrieved. Despite this, IT Group took a forensic image of the data, to enable the school to wipe the server and keep this image as a ‘backup’, so that if the decryption key was ever discovered, the files could be retrieved - although this was likely to be years away.
The school accepted that the data was lost, but used the experience and technical knowledge of IT Group to assist in realising the areas in which the network was most vulnerable and where areas needed to be worked on - with this knowledge, they tried to secure a more proactive and reputable IT company.
Luckily, against all odds, the master decryption key was released only a few months after the image had been taken, seemingly provided by the creator of the malware. After a test on some files that were contained within IT Group’s forensic image, the decryption key was shown to work, allowing the key to be used against all encrypted files upon the server. Without the use of the forensic image, this data that was assumed lost would truly have been gone due to the rebuilding process, but instead could be restored with valuable knowledge and experience gained.
|Aaron Pickett is a Digital Forensic Examiner at IT Group specialising in Information Security, Computer Forensics and e-Disclosure. Aaron holds accreditation from Bond Solon Expert Witness Training, as well as UFED Cellbrite Mobile Phone Forensics, using both of these to assist IT Group to stay at the vanguard of the Legal and Forensic Computing sectors.|