Threats 101
Jonathan Crowe
Oct 2016

Tales from the Encrypted: Ransomware Horror Stories (and the Mistakes that Spawned Them)

Scared of what users might unleash when they go "click" in the night?

You're not alone. We recently asked IT pros with first-hand experience grappling with ransomware to share their stories. The tales they told were equal parts frightening and enlightening. To save you the horror of going through what they did we're sharing six of their most important lessons learned.

(Along with six classic-horror-film-inspired movie posters, of course.)

Tales from the Encrypted

Ransomware Horror Movies Inspired by Real-Life Stories and Classic Mistakes

Mistake #1: Falling for the attached invoice disguise


Click to expand

Ransomware infections can play out in a variety of different ways, but the vast majority start out the same way — a user clicks on something they shouldn’t. For a large number of the IT pros we talked with, that something was an email attachment disguised as an invoice.

Despite several things that should have been red flags (not recognizing the sender as someone the company does business with, for example), employees downloaded and opened the attachments anyway. Whether it was simple curiosity or they simply weren’t thinking, the result was a very different kind of invoice asking for Bitcoin in exchange for their files.

User-proof tip: Disable Microsoft Office macros

Microsoft Office docs are a popular delivery vehicle for ransomware authors because they allow them to leverage macros (bits of code that allow additional functionality) to execute the ransomware without the user's knowledge. Ex: The Locky ransomware family originally gained traction and notoriety in early 2016 with its use of malicious macros in Word documents.

If possible, adjust your users' Microsoft Office default settings to disable macros. That way you can prevent ransomware from exploiting them. Microsoft has a support document that walks you through that process here.

Mistake #2: Thinking antivirus will catch everything


Click to expand

Criminals know the primary defense many companies rely on is antivirus. And they know antivirus works by scanning programs to see if they match the “description” of programs already identified as malicious. So to get their ransomware past antivirus, they’ve developed ways of either disguising it to look like something legitimate, hiding it in another program, or making it appear to be a new, unidentified program that antivirus won’t flag (learn more in our post, "How Malware Gets Past Antivirus").

100% of ransomware victims we polled were running antivirus at the time of the attack.

User-proof tip: Add a layer of endpoint security that stops attacks antivirus doesn’t

You probably already have antivirus. And that's a good thing. But odds are you’re also looking to replace or augment it (86% of security professionals are thinking of doing the same thing).

The truth is, thanks to their reliance on signature matching, antivirus solutions repeatedly risk getting bypassed because they’re constantly stuck playing catch up. In order for them to have a signature they can block, a malware sample needs to be captured, analyzed, and categorized. By the time a signature does get added, the next iteration of the malware is already making the rounds and the cycle repeats itself.

A better approach is to identify ransomware based on what it attempts to do, not just what it looks like as a static file. After all, ransomware is as ransomware does (that’s how the saying goes, right?). To put it another way, if you can block the behaviors that ransomware relies on to function you can stop it whether a signature exists for it or not.

At the risk of sounding self-promotional, that’s exactly what Barkly does. Learn more about it here.

Mistake #3: Not reporting incidents immediately


Click to expand

With ransomware, one of the main things you're up against is its speed. Unlike other cyber attacks that prioritize stealth in order to maintain system access and control for long periods of time, ransomware prioritizes spreading far and wide, encrypting as much as possible as fast as it can.

That’s why it’s less than ideal when a user who gets infected late on a Friday afternoon decides to wait until the following Tuesday after a three-day-weekend to say anything about it. By then, the ransomware has had the chance to spread through shared network drives and infect the entire department.

User-proof tip: Provide a clear process for reporting infections (and actually encourage/reward employees for using it)

Reading through IT pros' horror stories, it’s surprising how often users waited to report an attack, or decided not to proactively report it at all. One of the biggest reasons they cite makes a lot of sense, though: Users are scared of getting in trouble.

To combat that fear and reluctance, you need to get vocal about the importance of reporting potential security incidents or anything out of the ordinary. And you need to reframe that as a positive thing.

By providing users with the tools and knowledge they need to help them recognize when something isn't right you can make them feel like they're part of the solution instead of part of the problem. Combine that with actively rewarding and praising employees who do report incidents and you'll be on your way to creating the kind of environment where users proactively raise their hand when they notice something suspicious.

Get more advice for turning users into assets instead of liabilities in our Security Awareness Playbook.

Mistake #4: Allowing infections to spread through shared drives


Click to expand

One of the scarriest aspects of ransomware is its ability to spread across shared network drives. It's one thing to have to wipe and restore one workstation. It's another thing to be caught in a loop of repeated infections across multiple departments, trying desperately to track down "patient zero" and eliminate all the infected files for good.

There were many cases where IT pros were sent on wild goose chases or where hours of their hard work had to be repeated, all because just when they thought they'd cleaned up the last of the infected machines, someone accessed something on a shared network folder and the attack kicked up all over again.

User-proof tip: Practice the principle of least privilege

It won't eliminate an ransomware infection from starting, but limiting what users have access to can certainly help keep an infection from spreading like wildfire.

Security expert Pete Herzog suggests approaching security with the goal of creating separation between your systems and assets. Ex: Desktops should not be able to connect to other desktops. Access to files, printers, servers, you name it should be solely limited to those who absolutely need it. Copies of backups should absolutely be kept separate.

Speaking of backups...

Mistake #5: Not being truly backup-ready


Click to expand

Perhaps the biggest surprise takeaway from reading through IT pros' ransomware horror stories was this:

Backup is the one thing ransomware victims count on most to bail them out. It's also crazy how often it doesn't go 100% right.

While many of these ransomware horror stories ended with IT pros thankfully restoring infected machines from backup, that sadly wasn't the outcome for everyone. Having working, reliable backup is something that's incredibly easy to take for granted, and until you actually test it out, it's not even something you can assume you have.

User-proof tip: Make sure you know everything about your backup ahead of time

This includes your:

  • Recovery point objective (RPO): the timeframe dictating how often backsups are created (ex: daily, weekly, etc.)
  • Recovery time objective (RTO): the amount of time it takes to restore and get back up and running
  • Backup locations: it's best practice to embrace a 3-2-1 strategy (maintain three copies of data in two separate locations, one of which is offsite)
  • Actual ability to recover and restore data: you can't truly know what to expect until you actually test it

Ultimately, backup is like an emergency brake — it's something that's great to have, but it's not something you really want to rely on when you're speeding down the highway. Prevention is much less of a white-knuckle experience.

Mistake #6: Thinking once one attack is over you’re in the clear


Click to expand

The last lesson from this batch of ransomware horror stories is that recovering from one attack doesn't prevent the next one from happening.

50 percent of ransomware victims experience repeat attacks.

Clean up should absolutely be your first focus, but as soon as things are back up and running you need to turn your attention to figuring out exactly what went wrong and how you can plug the gaps that allowed the attack to happen in the first place.

User-proof tip: Conduct a post-attack retrospective and close up your gaps

Go back and retrace the trajectory of the attack, starting with how the ransomware got onto the first victim's machine. If it was something a user did (and it probably was) figure out ways you can educate them. But just as important, also try to think of ways you can make their mistake more difficult to make, or ways you can make the repurcussions of their mistake less damaging (think reducing their access and/or installing protection like Barkly).

Try to identify any vulnerabilities that were exploited along the entire thread of the attack, and specific controls you can put in place to either eliminate or mitigate them.

Want to make sure you're really ready to handle a ransomware attack?

Check out our new Complete Guide to Ransomware. It breaks down the latest ransomware trends and infection scenarios and gives you step-by-step instructions for how to prevent and respond to attacks.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

See how Barkly’s Runtime Malware Defense blocks attacks other solutions miss.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.