Kick Ransomware To The Curb

This text will be justified
John Finley– president of his 40-year home improvement business. Send me this chilling text message on November 20, 2020 – one week before Thanksgiving.

“Are you aware of what’s going on at my office? Am I just worried about them getting Dave’s paycheck or did she give access to Company Accounts?

Somebody needs to let me know what’s going on”

One of John’s employees, was on vacation enjoying a pre-holiday week with his family and ‘Dan’ send an email to John asking to change his direct deposit information. John thought nothing of it and honored the request and changes were made.

The day Dan comes back, catches up with John and says I didn’t get paid yet. Now, John has a few problems.

1 – Where did the $1,256 go and can he get it back?
2 – Are his company accounts compromised?
3 – Could this happen again?

Still Under Attack
After John’s text message, I reached out and listened to John vent until he returned to a normal shade of maroon red. One of his biggest screaming points, which was really valid – why do we pay for antivirus if we are still under attack.

He sounded shaken – he’s had people coach him about finance, HR, marketing and sales – but he had never experienced a loss of money from anything IT. John and I discussed the couple of ways this could have happened – but he made one thing very clear, this can’t happen again. I assured him that we can do a few things to protect the business, his data and his people from making mistakes.

Everywhere, Crapware – I’m done!
The plan was to identify all of the apps and websites and programs that are used by Finley Industries, and block everything else. This allows us to prevent any malware, ransomware, adware, viruses, keyloggers, or any other kind of crapware to ever run on any of their computers ever again – thus reducing the attack surface and saving future paychecks, the bank accounts John was concerned about – but mostly, reducing the risk that this can ever happen again.

John was in. He also liked that I called it crapware – he used language that was a bit more blue. We were able to produce a list of applications and websites – and then blocked everything else.

Over the next two weeks, our team followed up whenever someone needed to run a program that was not on the original list. 99% of them were valid programs and websites, and John approved them. 1% of the programs were not – we found 2 pieces of crapware.

While John didn’t get his $1,256 back – he loved feeling that ransomware was behind him and he can focus on the next thing that made his blood boil – which, thankfully, wasn’t an IT issue.


Here is the Plan that John rolled out:

1 – Installed Now IT Works ThreatStorage. Even though antivirus was running, it was reactive.  Now the ThreatStorage installed on all Windows computers and servers, the tool inventoried every piece of software that was running on the computers.

2 – Activated ThreatStorage. After 1 week of listening and learning, we had the majority of applications that were correct. Then we activated the software – from this point on, any new program that tried to run was immediately logged and a pop-up appeared on that user’s computer asking them for next steps. In most cases, the person would click “Inquire with NIW Support” – which would send an email to the Now IT Works Security team for review. If it was legit, it was allowed.

3 – Turned on Multi-Factor Authentication. Microsoft Office 365 was the primary culprit, in John’s situation – and in many cases of ransomware, viruses, email hacking and phishing. We locked this down for John and the entire team at Finley.

3a – As a point of interest, John asked where else he should enable MFA. We discussed everywhere – but he ultimately turned it on for Office 365, Salesforce and the VPN connection at his office. The biggest locations of where John’s client and financial data is.


Prevent Ransomware from Running On Your Systems Once and For All