In a blink of an eye, the file names on a desktop computer at Western Reserve Public Media’s administrative offices in Northeast Ohio became scrambled and the screen read, “Congratulations!!! You have become a part of a large community of CryptoWall …”
And so, what began as an ordinary Monday morning in February 2016 ended as the dreaded day that our data was taken hostage and Western Reserve Public Media became part of a modern-day extortion scheme.
I first learned about malware capable of taking total control of your data when I read “When Hackers Turn to Blackmail,” a case study by Caroline Eisenmann in the October 2009 issue of the Harvard Business Review. It was about how a small community hospital’s electronic medical records were taken hostage, and the only way the hospital could get the data back was to pay $100,000 in ransom.
To be candid, the case study scared me. If this could happen to a small community hospital that has an entire IT department devoted to the security and well-being of its network and patient information, are all organizations vulnerable? At its conclusion, the case study asked three renowned leaders in the fields of IT business, education and security how they would deal with a malware attack. I posed the same question to my IT and management departments, all the while saying to myself, “We are a virtuous nonprofit public television station. Surely this will never happen to us.”
Fast forward to February 2016. Our operations manager is sitting across from me in my office. The low-energy depression in his voice and weariness in his eyes commanded my undivided attention. I asked him to repeat what he just said: “We’ve been hacked by ransomware … Our data has been encrypted … They want money.”
After a brief moment of stunned silence, I began a line of questioning in an attempt to assess the situation. How did he know? How much are they asking for? Had we linked to any dangerous attachments? Do we know what data has been compromised?
Although he was in the beginning stages of discovery, he had already isolated the desktop computer that opened the door to the malicious virus. How did he know the culprit? Because the computer had a full-screen message from the hackers explaining what had happened, what we needed to do to get the information back, how much it was going to cost and links to where we were instructed to send the money if we wanted our data back. And oh, by the way, “The further life of your files depends directly in your determination and speed of your actions.” In other words, meet our demands now or we destroy everything!
Once the operations manager knew what computer was involved — luckily, it was just one — he checked to see which of our 10 servers were mapped to that computer and reviewed the files to see if the data on those servers were also taken captive. Like most modern-day television stations, our entire operation including our broadcast transmission happens through servers. We would be paralyzed and have to totally shut down if CryptoWall infiltrated all 10 servers.
Fortunately the offending computer was used by an outside contractor and was only mapped to two servers: one that handles our Internet functions and another that houses our financial reporting software. There was a deep sigh of relief that the membership software and broadcast operations servers were okay, but there was no time to rest on that fortunate discovery.
The two infected servers were immediately shut down to prevent any further contamination. By this time we surrendered to the fact that we might lose all of the data on those servers. Fortunately, we had an off-site hard-drive backup if we had to rebuild it. This gave us the confidence to not give into the demands of the hackers but rather start on the journey to fix the damage and get on with our public media life.
To assist us in assessing the damage and recovery, we called the local office of Involta, a national provider of IT intelligence and end-to-end infrastructure. I learned about Involta at a conference having to do with broadband communities that I attended several years ago.
Together the Involta engineer and our operations manager scanned the two corrupted servers. They found and removed a few minor threats on one server, but since the infected computer had antivirus software installed, they believe it stopped CryptoWall before it had a chance to infiltrate enough to cause major damage. (Insert heavy sigh of relief here.)
We have our suspicions that Western Reserve Public Media got infected from a link to a fake profile on a popular social media site, but we will never know for sure. According to the website MalwareTips, CryptoWall can infect your computers in several ways, including accidentally linking to a website that has been hacked, opening spam email containing infected attachments, or being tricked into downloading a bogus software update. Recent articles on the subject indicate that hackers are starting to become very clever in attaching malware to links on social media sites. Who out there doesn’t trust your best friend’s sister’s best friend’s cute and cuddly kitty-in-a-box video link?
Now that all is well on the Western Reserve Public Media front, and thankfully the damage was very minimal, a small part of me is “okay” (I don’t want to say “glad”) that this has happened. Sure, it was a sobering wake-up call. Yes, it challenged us to revisit our IT procedures and fine-tune our practices. And there is no doubt that the staff has learned how actions they take using station computers have the potential for devastating consequences. But on the bright side, it also proved to me that I have exceptional employees who care deeply about the well-being of Western Reserve Public Media, and when confronted with an outside threat, we pull together to protect our valuable public service.
Trina Cutter is president and c.e.o. of Western Reserve Public Media in Kent, Ohio.