Proof of Life

Tom Montgomery, NGU Risk Management

August, 2020

Imagine coming to work one morning and being unable to access your email, or any files stored on your servers, including budgets, financial records, and student information. I hope none of you experience this, but one TNRMT member just did.

In this ransomware incident, our TNRMT Member promptly reported the Ransomware attack to us. We in turn promptly referred this to our cyber security response team. A conference call was held immediately between the cyber response team and our Members IT and Leadership teams. An action plan was formulated and implemented within minutes. It was soon determined that the attackers were relatively sophisticated and indeed held the keys needed to decrypt the data. The decision was reluctantly made to pay ransomware via Bitcoins, as the Members backup servers were also compromised. Within 72 hours, the 'keys' were obtained from the attackers and the members data and systems were restored.

This incident was reported to the FBI and Homeland Security, though we do not anticipate that the attackers will be found and brought to justice.

The Cyber coverage provided by TNRMT to all P/C Members provided complete protection in this incident as the Members only financial stake was a $1,000 deductible. The stress, confusion, overtime, and a few sleepless nights were far more painful.

We share this incident with you in the hopes that together we can avoid this happening to any other TNRMT Member.

Attached are comments from Phillip Pratt, Director, Crockett County Schools:

“Within thirty minutes after arriving to work on July 24, 2020, we noticed something wasn’t right on our network. We noticed icons had been added to our domain controller server and our printers would not connect to the print server. After a quick look at the print server, we found a ransomware banner that said our files had been encrypted. We immediately notified our internet vendor to have all of our connections to the schools disconnected and started evaluating the scope of the damage. The initial evaluation identified 7 servers that were encrypted. The most important servers were the domain controller, the print server, and the backup server. My first thought, how do I proceed?

Within ninety minutes we identified the ransomware attack, isolated the network, and were in a call with a TNRMNT representative, Arete Cyber Security Team, and the Law Office of Lewis Brisbois.

Within 72 hours we received the decryption keys and decrypted all of the files. During that time, we had to rebuild some of the services on the main servers, and we were back operating normally.

Thanks to the rapid response from TNRMT, Crockett County Schools had a quick recovery without any data loss.

There are several what ifs we can take away from this experience.

We have learned valuable lessons from this experience, and our technology will move forward more safely than before. The rapid response from TNRMT is what made the outcome of this tragedy easier to overcome.”

At this link, you will find a technical article on specific Ransomware avoidance techniques. Please share this information with your IT professionals. Encourage them to implement these steps immediately. Our TNRMT safety professionals have a training module on cyber prevention that presents common everyday practices that will help avoid many cyber-attacks.

Our Members are encouraged to contact the TNRMT IT director Kyle Greenup, safety team members Chris Stites, Mark Bilyeu and Jason Baggett, or Tom Montgomery for follow-up assistance.

*This title of this article is not taken from a kidnap/hostage situation, but from our recent Ransomware cyber-attack of a TNRMT member. If you've experienced your own Ransomware incident, you're familiar with this "Proof Of Life" tactic. A demand is made by the cyber response team requiring the ransomware attacker to decrypt a portion of the environment up front, prior to negotiations, to confirm that the attacker are who they say they are and that they indeed have the ability to provide the 'keys' to decrypt your data. This term is but one aspect of such an incident we have learned and that unfortunately has become a necessary evil that we all must deal with.

Tom Montgomery
NGU Risk Management
615.822.5454
tmontgomery@ngutn.com