The Dxh26wam Case Study, or why Dropbox is not a proper Backup Solution

If you could take a look into the security playbook of most large companies in the world, it would probably say that in case of a serious infection, let’s say a ransomware, the first thing you should do is contain the problem – you want to disconnect the machine so the infection doesn’t spread, and rush it over to the experts that will do a forensic analysis to figure out what happened: when, how, why and hopefully who was behind the attack. The user, in most cases, will quickly get a replacement machine, and will forget all about the incident. Operations of the company, as a whole, will not be disrupted1. This is how it works for large companies, but when it happens in smaller ones, the story is completely different.

One April morning we got an urgent call from one of our clients, telling us that one of their computers had a “very scary” notification on the screen, and that the employee using that computer could no longer work.

Image result for Dxh26wam

Fortunately, no other computers were infected, but in a small company (5 members of staff all together), this infection still caused a serious disruption to their work. As the infected computer was out of commission, and all local documents were encrypted, the employee was unable to work, meaning that 20% of the workforce was unable to act. In this type of company, there is no such thing as a temporary replacement computer – the cost of maintaining a “spare” just doesn’t justify it. The only way to allow the person with the infected computer to go back to work was to clean the infection from the workstation.

And so we did.

That was the easy part.

As this is a small team, they collaborate via a shared Dropbox, and what do you know – their entire Dropbox content was also encrypted. This means that effectively, the team lost access to all their previous work, contracts, billing information, etc. This didn’t stop them from working, but it created significant hurdles.

Now, some of you might be thinking – what’s the problem? Dropbox keeps back-versions of all the files, and the client could have just rolled back the encrypted files. The big problem, as it turned out to be, was that manually restoring the versions of almost 20,000 files is not really feasible. That’s when we turned to Dropbox for help. We opened a case with Dropbox support, and at the beginning they were very helpful and responsive. We pinpointed the exact moment in time to which we wanted to roll back the encrypted folder and all its contents, and they agreed to do it within several hours. We waited. And then we waited some more. 

In fact, we waited more than 48 hours before the change was made. 48 hours in which the entire team had no access to their data.

It’s extremely important to remember: Dropbox is collaboration tool – not a backup tool. You can use it for backup, but at the moment of truth, you might find it will fail you.

In the meantime, we started investigating the source of the infection. We had a guess, which turned out to be right, that the kill-chain began with a malicious email. It wasn’t clairvoyance on our part. At least 60% of all Ransomware infections come in through email, with some researchers putting that number as high as 80%. We interviewed the employee whose workstation was infected, and asked them to think if any suspicious emails came in during the very specific time-frame we deduced from the time-stamps of the encrypted files. We asked if they remembered any weird links or attachments. They quickly remembered a weird email containing a CV of a candidate, asking if they are hiring. They told us that get this type of email all the time, and so they were not suspicious. What was weird, they said, was that when they tried to open the CV, it wouldn’t load. They quickly forgot all about it, until we started asking questions. Looking at the email, though, it was clear that they should have definitely been suspicious.

The first thing that popped up as suspicious was the fact that the CV was sent inside a zip file and not as a simple Word document or PDF. The second red flag was that this zip file was password protected, with the password (123456) given in the body of the text. This is not usual behaviour for candidates, and so the email should have been treated with care. There were other signs, of course, but those were the obvious ones.

The email was sent to a group account, and so it was pure chance that other computers of other staff members were not infected.

The client, on their part, wanted to understand how come the antivirus we installed for them didn’t stop the infection, and should they invest in a better one. The answer was simple. We ran the infected file through Virus Total, a website that allows you to run a file through over 50 commercial antivirus solutions at once. At the time, more than 80% of the solutions failed to recognise Dxh26wam as malicious. Every day new malware is coming out, and antivirus and other anti-malware solutions just can’t keep up. There are solutions out there that can definitely reduce the chance of infection, but they are widely outside the budget of an SME. For them, the best, and sometimes only, line of defence is education. If the staff member had been taught how to identify a phishing email, they would not have downloaded and opened the zip file. If the staff member would have been instructed and rewarded for notifying their superiors on any suspicious behaviour, we might have been able to stop the infection from spreading to the Dropbox. If staff members in general had been taught not to give passwords to strangers, or pick up random USB keys from the street and plugging them in their computers, or any of the myriad of social engineering scenarios a security professional can conjure, a lot of security incidents could have been avoided.

In the end, all ended (mostly) well. Dropbox successfully restored all the files. The files that were saved locally on the staff member’s computer were lost, but they were few and not significantly important. They will never make the mistake of saving essential information only locally. Hopefully, and with our help and guidance, next time they will be better prepared to spot these kinds of threats, and stop the infection before it even begins.






  1. I’m not talking, of course, about massive infections like the case of WannaCry and Renault, where the company had to completely shut down its assembly lines for several days, but on the more frequent, isolated, infections.