Another Island ransomware threat thwarted by proper backup protocol

Shutterstock

LITTLE CURRENT – Manitoulin Island’s radio stations have become the latest high-profile local victim of a ransomware attack on their computer systems but they averted a crisis thanks to an extensive backup redundancy system that enabled a full restoration of their systems within a matter of hours, a further example of the importance of preparing regular, secure data backups.

“What I developed for backups is probably the best system in the industry, thanks to my IT background” said Manitoulin Radio Communication CEO Craig Timmermans.

He and his wife Kelly ‘KT’ Timmermans, president of the radio station, were in Sudbury on August 29 when a staff member called them to say that the station was playing the same song on repeat. Mr. Timmermans logged into the server remotely and noticed that an attacker had installed ransomware on the main computer system.

His investigations showed that the virus came in through a staff member’s email. The employee mistakenly opened up an attachment that was disguised as a legitimate file; from there, the virus copied itself onto the central computer system. 

For the bargain price of $4.5 million (paid in Bitcoin), the attackers said they would unlock the computers. However, as most computer security experts will say, users should never pay the ransom because they may never get their files back even if they comply with the demands.

The malicious software (or malware) locked down every file on the system, from their entire music library to advertisements and logs of what content had aired. The only file it could not encrypt was the song that was playing at the time, since the radio system was currently broadcasting that file.

When every other file got locked down, that one song aired for four or five times on repeat before Mr. Timmermans took down the feed and replaced it with a small playlist to cover the gap. He did not recall the name of the song that avoided becoming encrypted.

At this point, without any backups in place, any other station would have faced a crisis. The Timmermans attended the Country Music Association of Ontario awards this past week and spoke with the owners of a nine-station chain in southern Ontario who faced a similar threat.

That chain, however, did not have the same robust backup system in place and all of its nine stations went off the air for a full week before they were able to broadcast any music. Rebuilding all of their music library, re-recording commercial spots and setting up the server again could take the other station months to complete, estimated Mr. Timmermans.

At Manitoulin Radio Communication, all files are backed up on a daily basis and files pass through a quarantine before getting added to the official backup.

“Our systems get backed up to an isolated system and then the backup system picks up the files from that spot. When things like ransomware hit a network, the first thing they’ll do is eliminate all links to your backups but this way, there’s no direct connection between those files and the main system,” said Mr. Timmermans.

This is an extension of the ages-old computer advice that users should have three copies of all of their important data, including backups that are not directly connected to the main computer and ideally are stored off-site.

Mr. Timmermans worked quickly with employee Sylvain Boucher to restore a backed-up copy of their systems. Their main feed was back in an hour and their systems were fully back to normal within just seven hours of the start of the attack.

“This is just another example of how important it is to back up your data. I was pretty prepared going in but I never suspected a virus would attach itself to the server in the way it did,” he said.

On-air staff at the station have work laptops that they use to record voice tracks from home. This is a major source of vulnerability so Mr. Timmermans reconfigured the software so they could not access the internet except for the company’s server, for uploading their files.

“COVID-19 has really opened Pandora’s Box for ransomware. I think of how many companies have sent their staff home and they use their personal devices to connect to the work servers. It really sets you up for exposure,” he added.

For information on keeping computer data safe for both employers and individual users, please see the story in the September 23, 2020 issue of The Manitoulin Expositor, ‘Cybersecurity expert offers computer advice.’