Payroll provider pays extortionist salary – Krebs on Security

Payroll Software Provider Apex Human Capital Management is undergoing a ransomware attack this week that has disrupted the payroll services of hundreds of customers of the company for nearly three days. Facing the threat of a prolonged outage, Apex chose to pay the ransom demand and begin the process of restoring customer service.

Apex HCM, based in Roswell, Georgia, is a cloud-based payroll software publisher serving some 350 payroll agencies, which in turn provide payroll services to small and medium-sized businesses. Tuesday, February 19, at 4 am, Apex was warned that its computer systems had been infected with a destructive ransomware strain that encrypts computer files and requires the payment of a digital key needed for descrambling the data.

The company quickly put all of its systems offline and began informing customers that it was trying to address a security threat. After a series of updates every two hours, Apex continued to estimate that it expected to restore service in a few hours, only to return to these estimates almost every other time, a new update of the customer being published.

Contacted Wednesday by an Apex customer who feared that he could not pay this week's payroll for his customers, KrebsOnSecurity asked Apex to comment. Ian Oxmanstated that the ransomware never touched customer data, but encrypted and disrupted everything in the company's IT systems and off-site disaster recovery systems.

"We had just completed a fairly sophisticated offsite disaster recovery plan that mirrored our live system," said Oxman. "But when the Ransomware bomb exploded, not only did it go through and infect our own network, but it was immediately detected on our disaster recovery site, rendering the switchover to this site unusable."

Oxman said that Apex had hired two outside security companies and that on February 20, the consensus was that paying ransom was the fastest way to get back online. The company refused to specify the amount paid or the ransomware strain at the origin of the attack.

"We paid the ransom, and it was bad," said Oxman. "Out of respect for our customers who needed to start their business, this would obviously be the fastest way."

Unfortunately for Apex, paying did not completely solve his problems. In particular, Oxman stated that the decryption key that was given to them after paying the ransom did not work exactly as promised. Instead of restoring all files and folders to their pre-encrypted state, the decryption process has broken countless file directories and rendered many executable files unusable, causing even more delays.

"When they encrypt the data, it happens very quickly," he said. "When they gave us the keys to decipher it, things did not go as neatly."

ACA OnDemand, one of Apex's former business units, is still offline, but the company now proposes to move customers from this platform to newer software systems as a service (and more expensive), and train these customers to use them.

Experts say attacks like the one against Apex HCM are taking place around the world every day and have become a multi-billion dollar market for cyber thieves. Professional Services Firms Make Up the Largest Casualty Group According to a Study by NTT security.

Among the victims of ransomware, perhaps one of the most difficult, are those that offer cloud data hosting and software as a service, because these companies are totally unable to serve their customers when they are not. a ransomware infestation is active.

The FBI and several security companies advised the victims not to pay ransom, as this only encouraged the attackers and, in any case, did not result in effective access to the encrypted files.

However, in practice, many cybersecurity firms are quietly insisting that their customers consider paying to be the fastest way to return to the status quo. It's not difficult to understand why: stealing or stealing customer data can spell the death knell of cloud-based business, but being down for more than a few days can often be just as devastating. As a result, the temptation to simply pay can get stronger and stronger each day, even if the only thing that is redeemed is a set of desktops and servers.

Christmas Eve 2018, Cloud Data Hosting Company Dataresolution.net was touched by the Ryuk strain of ransomware. More than a week later, on January 2, 2019, this blog reported that the company – which had chosen not to pay ransom and restore everything from backups – was still struggling to put its systems online .

A dataresolution.net customer said that the company had failed to rebuild its server or return the company's database stored there before January 9 – 16 days after the ransomware outbreak.

"After what I understood, it still took two weeks for all the clients to be rebuilt," said the client, who works as an IT manager in a benefit management company that was using dataresolution.net and is leaving the company. "The supplier has never provided an badysis of how this happened and how it would prevent it. Apart from different antiviruses and not allowing RDP connections to the Internet, they do not seem to have implemented additional protection. They have not proactively offered any compensation for the outage. I am in the process of documenting the financial impact on businesses to request a "credit" at the same time as planning the installation of the system internally. "

For its part, Apex is still trying to determine how the ransomware software has entered its systems.

"This is where this forensic badysis is still going," Oxman said. "For us, the emergency response team literally worked 48 hours in a row to get our systems up and running. It also has the secondary purpose of understanding what has happened and how to prevent it from happening again. We had just completed a security audit and we felt very good. Obviously, these hackers have found a way to get in, but I'm sure each of these companies feels affected. "

Here are some tips for preventing and managing ransomware attacks:

-Patch, early and often: Many ransomware attacks exploit known security vulnerabilities of servers and desktops.

-DDP Disabled: Abbreviation for Remote Desktop Protocol, this feature of Windows allows to administer a remote system via Internet. A ridiculous number of companies, especially healthcare providers, are victims of ransomware because they allow RDP to stay open on the Internet and secure with easy-to-guess pbadwords. And there are a number of criminal services that sell access to RDP facilities brutally forced.

-Filter all the emails: Invest in security systems that can block executable files at the email gateway.

– Isolate mission critical systems and data: This can be more difficult than it seems. It can be interesting to call on a competent security company to make sure everything is done right.

Backup files and databases: Keep in mind that ransomware can encrypt any networked or cloud-mapped files or folders to which a drive letter has been badigned. Backup to a secondary system to which no drive letter has been badigned or which is disconnected when the data is not backed up is essential. The old "3-2-1" backup rule comes into play here: whenever possible, keep three backups of your data, on two different types of storage, with at least one offsite backup.

Macros disabled in Microsoft Office: Block external content in Office files. Inform users that ransomware is very successful only when a user opens an attachment to an e-mailed Office file and manually activates the macros.

-Activate access to controlled folders: Create rules to prohibit the execution of executable files on Windows from local user profile folders (application data, local application data, ProgramData, Temp, etc.).

Sites such as nomoreransom.org distribute free tools and tutorials that can help some ransomware victims to recover files without paying ransom, but these tools often only work with specific versions of a strain of ransomware. particular ransomware.

Tags: ACA OnDemand, HCM Apex, dataresolution.net, Ian Oxman, ransomware