How to Make It Harder for Malware to Shut You Down

For 18 days before the ransomware attack actually commenced, the implanted malware sat dormant in KQED’s computer system. It was probably sniffing out usernames and associated passwords—plus the systems each unlocked. Eventually, the malware got hold of an account with the ability to enter anywhere and do anything, called a domain admin account.

That allowed the malware to propagate throughout the network, infecting machines, locking up files and informing staff members via desktop messages that they were now official ransomware victims.

You can limit the widespread nature of a malware infection by managing a sort of security trap related to a Microsoft networking tool called Active Directory. It stores accounts, the systems that each account is allowed access to and the level of access each account is afforded.

KQED's problem was that many of our systems were grouped together in Active Directory, under what’s called a domain. The reason for this is convenience: When different systems are part of a single domain, people can use the same user ID and password for each. So someone logging onto their computer in the morning could then do work on the audio content management system and financial software, or the audio and video editing software systems, all with the same user ID and password—no need to remember a different set for each.

The downside of this setup is if intruders get hold of a single high-level account, they can go from system to system, infecting each.

Which brings us to another Active Directory vulnerability: At KQED, too many people had access to the highest-level credentials, allowing them to do pretty much anything on every system within the domain, including ordering all files to encrypt — what happened here. These commander-in-chief accounts—the domain admins—are the keys to the kingdom. And the more people who have them, of course, the greater the chance they will be stolen.

Why would more than one or two people have these credentials? Again, the reason is convenience. If someone needed to do something only a domain admin had the capability to do, he or she could do so without going through the true administrator.

“It’s pretty easy to shoot yourself in the foot operationally like that with Active Directory,” says Jonah Silas Sheridan, a computer security consultant for nonprofit organizations. “It’s really handy to have domain admin rights when you need to administer the domain. But that may be [only] 25 percent of your day.”

These dual vulnerabilities—too many systems grouped together under one domain and too many people with domain admin accounts—open the door for maximum damage.

And any system not grouped under the same Active Directory domain, whether it was TV broadcasting on its own in-house network or web publishing in the cloud, remained blissfully unaffected throughout the attack.