404-865-1289

Boost IT

IT Management & Cybersecurity

News

Atlanta Real Estate Firm Gets Ransomware

by

A Story about Ransomware Detection and Prevention for an Atlanta Real Estate Firm

This is the story of how cyber criminals in China attempted to take down and extort for ransom an Atlanta Real Estate Firm, how the Boost IT team reacted, and what we can learn from it — ransomware prevention in 2020.

How The Ransomware Hit?

It was Monday, January 7th; the first full week after the holidays. The day began like any other Monday — we gathered over coffee, discussed the fun things we did over our weekends, and had our weekly team meeting to review our client environments. A ticket had come in over the weekend that there was some unusual activity on a client’s servers, and that there was a jump in hard drive activity.

Next was a series of frantic incoming phone calls followed by shock as the gravity of the situation sank in. The day I had been dreading since I founded the company in 2000 was finally here — a client that had repeatedly refused our security recommendations had a full-fledged ransomware attack underway.

Can Ransomware Be Prevented?

In the best cases, our managed security services, when used together, will drastically reduce chances of infection. In fact, our clients that use our full suite of security services have never gotten ransomware. In the worst cases, the bad guys succeed, data is lost, and ransoms are paid out. Fortunately for us, we were well prepared because our client used our rock-solid, cloud-based disaster recovery system so data loss was minimized.

How We Reacted?

Shut it down

The first thing we did once we confirmed the attack was to have everyone power off their workstations. Once ransomware compromises one machine it immediately spreads to the rest of the network. And even with backups in place, recovery takes time. Restoring a single machine can take 1-2 hours and when handling dozens of machines that can easily turn from hours into days.

Search & Analyze

With everything powered off, we started slowly checking each server one by one, and taking samples of the encrypted files so we could send them out for analysis. After submitting the samples to IT Security Researchers we quickly discovered we were dealing with something incredibly nasty: The Dharma -Adobe variant of Ransomware (.cezar family of attacks). This strain is extremely problematic.

Only 1 in 67 anti-virus engines could detect the ransomware

In fact it successfully made its way through their Cisco Meraki Firewall with Advanced Security License, the email security filtering, Microsoft Office 365 mail scans, and past their anti-virus protection.

Put in the time

Even with recent backups available, checking each system individually, completing the restores, and testing to determine which backups weren’t compromised, we watched in real-time as Chinese cybercriminals attempted to login to their servers (we blocked some 7,000 attempts per hour at the height of it). It took people on our team in excess of 100 hours of work that week. It was 14+ hour days and extremely stressful. Brent Tibbetts went above and beyond showing up early and staying late.

Summary Of The Ransomware Attack

  • We shut down all workstations before any systems were encrypted and before we got the ransom demands.
  • Our client lost 1-2 days of data (Chinese hackers infected the systems but waited a few days to detonate the payload, so we chose to restore from a backup image taken when we knew 100% of the data was unaffected.)
  • Our client had only a single day of complete downtime, followed by another couple days of interrupted workflow as we got them up and running on temporary systems while we rebuilt the infrastructure.
  • Our team put in 12-14 hour days all week working round the clock to recover from backups and prevent further attacks.
  • We learned that Cybersecurity user training is more critical than ever (stay tuned for an email with cybersecurity tips as well training offerings for clients not already using our preferred eLearning platform: KnowBe4)
  • We saw firsthand how valuable proper disaster recovery backups are; a file/folder backup is not enough if you want to be able to recover from an attack swiftly. Without recent system images of the servers the backup could have taken 1-2 weeks to rebuild all the infrastructure rather than a day.
  • We want to remind our clients just how important good passwords are. If you don’t have a password policy, read this article on How to Create a Strong Password.

A big thank you goes out to our clients for their patience and understanding during the attack. It was a huge productivity loss with their whole office not being able to work. No one yelled or made unreasonable demands on our team. We stayed optimistic, worked together, and ensured a smooth recovery.

Thanks,

Russell Shulin
Founder & Chief Client Success Officer
Boost IT, LLC

If you’d like to stay informed of cybersecurity news and ransomware prevention measures, sign up on our Contact page.

For more info on how the Dharma Ransomware variant works:

https://latesthackingnews.com/2018/08/13/new-variant-of-dharma-ransomware-discovered/

Boost IT has a New Home

by

Boost IT has a New Home

We are celebrating our growth with a prize giveaway. Want to know how to win? Read on.
Atlanta, GA June 4 2014.

How does a business with limited resources remove uncertainty from IT operations?
Boost IT solves another piece of the puzzle with its new Atlanta home.

“We quickly realized that the next level of service for small business meant eliminating uncertainty in IT operations, “ said Russell Shulin, CEO. “With monitored and managed IT infrastructure and around the clock service desk support, business owners no longer have to worry about the reliability or hidden cost of their IT and can concentrate on their core strengths to boost their business. IT networks can be assessed, stabilized, monitored, and managed for growth and innovation with more uptime and less cost with our new managed service offerings so that your critical IT tools are always available when your business needs them. Migration to this new system is easy and will not interrupt your daily business functions.”

Large enterprises have been taking advantage of managed IT services for years but the cost was out of reach for most small businesses. Now most of the work is done virtually from remote locations so Boost IT can contract for these services in bulk, bundle them into inclusive packages that meet your requirements and offer them at the right price point for your business.

Shulin continued, “Our new facility is just another evolution for providing the best client service possible. Although our systems and processes enable our team to support your IT remotely from nearly anywhere and at any time, there are some functions that are just enhanced by a quickly accessible, centralized physical location. The needed space for the build out and staging of our clients’ hardware, for testing new technologies, and for collaboration and education of our team also provides us reliable access to high bandwidth throughput and physical security. Our new home certainly meets those needs for the foreseeable future.”

We mark our continued growth by moving into new and improved facilities at 2115 Monroe Drive, Suite 100, Atlanta, GA 30324. Since 2000 Boost IT has always been associated with superior providers of technology products and services to offer superior IT support to engineering, financial services, and healthcare organizations. Reinforcing our core belief that affordable, enterprise class managed IT services can transform and elevate small businesses to the next level, in 2013 we partnered with a world class provider that supports more than 350,000 users worldwide to automate monitoring and management of IT servers, workstations and network devices for our small business users.

Boost IT believes that IT should perform like a light switch, that you and your team should dream big, sleep well, and leave IT up to us, and that your goals for your business come first. Our work is personal, and everything we do revolves around these beliefs.

A LUCKY WINNER!!

In June, Boost IT will offer a free, no obligation network assessments as a tool to determine how your IT operations could be improved to better service your business. In celebration of our growth, a lucky winner will have a choice of receiving a dining card or an Android tablet during June 2014. Just schedule a network assessment by sending a request to info@boostitco.com and you will be entered into our drawing. We will be announcing our winner in our July newsletter.

TAKE SELF-ASSESTMENT