September 7th, 2021, is a day I’ll never forget. It was the day after Labor Day, my daughter’s first day of Grade 9. As we were sitting at the bus stop with her in our car, I received a text message from a friend of mine: “Hey, just a heads up, our website is down.” Concerned, I opened the website on my phone, which was just a blank, white screen. “That’s strange, I thought.” On the rare occasion that a website has an issue, there is usually some sort of error message to accompany it. I said to my wife, “I need to get home to see what’s up.”
Upon logging into one of Radiant’s web servers, I was greeted by an automated message from someone who had compromised the server and was demanding money. I momentarily sat there in disbelief.
As we all know, these types of events are all too common these days. We think, “That happened to someone else, but it certainly won’t happen to me.” Well, guess what? It can. Numerous high-profile organizations have been in the news over ransomware attacks, and believe me when I say: every single one of these organizations thought they would be fine.
For those who are familiar with Radiant, you know that we take security very seriously. We manage our own secure private cloud and host only websites that operate on our proprietary platform — Radiant WebTools. So, when a client comes to us asking to put their existing website and all of their code on our servers, our answer is simply “No.” We do this not out of greed or hubris, but because we’ve seen far too many ministries and businesses suffer because their codebase includes numerous unmaintained and abandoned third-party plugins ripe for exploitation. Adding that code to our servers would require an evaluation and maintenance process, which would take more time and effort than the perceived value of getting it live. This would result in more old, unsecured and unmaintained code online, which unfortunately can be found on many websites of unsuspecting clients hosted on WordPress and many other custom platforms throughout the internet.
Anyways, back to September 7th. Upon determining that some of our web servers had been breached, our security team went into action. We started by locking down the entire network and assessing the situation. We combed through logs to determine the extent of the breach and narrowed down the affected servers. Once we determined the likely entry point the threat actor used to gain access to our system, we updated our codebase, changed all the credentials, tightened up our firewall, and restored the data from one of our secure backups. We then had one of our government-credentialed security consultants run penetration tests on our servers, which came back clean. By the end of the day, we were operational. Did we ever contact the perpetrator? Absolutely not.
Throughout the process, we kept our clients up to date through social media, and when it was all said and done, this is the number of customer complaints we received: Zero.
Am I implying that people weren’t concerned about their websites or that we didn’t have some hiccups when it came to getting absolutely everything up and running? Definitely not! Websites went down, and customers were concerned. But we were prepared because we had a plan that had been put in place years prior to this event. And because we overcommunicated throughout the entire process, our customers knew we had their backs. And most of all, as a company that operates with the complete understanding that God is the head of our company – that He alone is sovereign over all – He gave us the peace, mercy, and wisdom to get through it.
I have been going through the nightmare of working with [company name removed] customer support and tech support for the last three days. When I say nightmare, I am being kind. Your email makes me wish that a company like yours ran [company name removed] — a pipe dream, of course. Even though this shutdown hasn’t affected us other than the brief time offline, your updates and emails have been a blessing to read. You have done a great job making your customers feel cared for and respected. Thank you.
Your prompt and comprehensive action, combined with your detailed follow-up, give us a continued confidence in the care you take to protect our website and those of all your customers.
Thanks, guys. I appreciate all your hard work this past week. God bless you.
You guys are awesome! May God continue to give you wisdom and strategies to overcome.
Again, to God be the glory.
As it relates to your organization, I would challenge you to think about your plan when it comes to ransomware protection. With that in mind, I’d like to offer 12 suggestions to help you in your thought process. This isn’t an extensive list, but it should provide you with a good start.
1. Create a plan.
What steps would you take in the event of a ransomware attack? What would each team member’s role be? Who would be in charge?
2. Identify what data is critical to your organization.
What data could you not afford to lose? What data needs to be protected? If it’s sensitive data, have a plan to encrypt it. And don’t leave the encryption keys sitting on one of your vulnerable computers.
3. Patch your software.
Make sure your computer software is up-to-date, especially when it comes to critical patches and zero-day threats.
4. Backup. Backup. Backup.
One of the main reasons that we were able to recover from our attack so quickly is that we have multiple backups (in different locations). We also keep offline backups to mitigate a worst-case scenario where a ransomware perpetrator is able to gain access to your backups and encrypt them without you even realizing it. You protect yourself even further by keeping backups that are disconnected from the internet.
5. Prepare for social engineering attacks.
These are the sneakiest attacks of them all, where a perpetrator is able to convince one of your staff members to hand over sensitive data. Train your staff on social engineering tactics, including phishing scams.
6. Protect your passwords.
If you’re still using the same simple password on multiple websites, you need to stop reading right now and change your passwords. Every website that you access should have a different password. Why? Because if one of the websites you use gets hacked, then they now have your common password that you use on multiple websites. There are dozens of different password managers you can use to keep your passwords and sensitive information safe. Personally speaking, we suggest BitWarden or 1Password.
7. Keep virus and malware protection up to date.
This one is pretty self-explanatory. You can also install endpoint security tools that can help keep an eye out for potential threats and ransomware activity.
8. Determine who needs access to what.
If everyone doesn’t need access to certain information, don’t grant it. By limiting access to sensitive data, you mitigate risk. At Radiant, we’ve even implemented unique credentials for each of our servers (essentially a zero-trust network) so that in the unforeseen event that one of our computers is compromised, the perpetrator can’t gain access to the rest of the network. If you don’t do this and a hacker gains access to a single computer on your network, they ultimately gain access to all networked devices that use those same credentials. Carefully weigh the balance between convenience (keeping your credentials the same over multiple devices) and risk management. (Note: If your network administrator runs Windows Active Directory to manage users and resources, there are other ways to mitigate risk, primarily through network segmentation techniques.)
9. Use multi-factor authentication on services that offer it.
Yes, it can be annoying to have to receive a text message or an email asking you to type in a security code, but it’s worth it. Many services also offer authenticator apps which can be helpful, especially if you’re someone who likes to travel and use different SIM cards. On that note, ensure your email password is very strong (long and difficult to crack). If a perpetrator can access your email, they can use that against you to reset other passwords. Protect your email!
10. Enable external logging and tracking on your sensitive computers.
If someone were to gain access to one of your computers, your computer would likely add a record to something called an Event Log. This log file resides on the computer and tracks activity (user logins, system events, error messages, etc.). Guess what the perpetrator will do when they are ready to attack your system/network fully? You got it — delete the event log(s), especially the entries that could offer clues as to who / how they gained access. To monitor for suspicious activity, you should hire a professional security consultant to:
- install secure monitoring software that will externally log any logins and file changes and;
- monitor the activity regularly.
Radiant can help with this.
11. Make sure your website is protected.
Most of the tips I’ve offered so far are associated with your internal network(s). As it relates to your website (and attached databases), make sure you are confident in your website provider and their code. Do you trust the developers that created your website? Are you familiar with all of the third-party plugins that they’ve installed, and do you have any concerns about the origin of that code? Shameless plug: If you’re interested in learning more about our enterprise-level website management solution, built by a security-conscious group of experts that care about the Gospel, consider Radiant WebTools. Oh, and by the way, it’s been around for longer than WordPress.
12. Test your plan to make sure it works.
There are many teams and tools out there that can do vulnerability scans on your network and “fake an attack.” By regularly testing all aspects of your plan, you’ll be far more prepared if something were to happen.
I hope these tips have been helpful. We see these types of attacks happen all the time, and they can happen to anyone. By having a plan in place, you’ll be in a position to make logical, practical decisions and save yourself a great deal of heartache. Plan now or pay later; it’s your choice.