Home worker caught by ransomware attack. Employer furious

JimmyVik · 28-05-2021 12:33pm #1

This is a bit of a long story but I will shorten it as best I can. Maybe someone can offer some advice.

Someone I know was working from home, logging into her work network via citrix.
So the shortened version of the story is ..
A hacker has emailed a video to her containing videos and screenshots of very sensitive data that she was working on. She thinks they have been recording this stuff for months based on what she was working on.
They have demanded €5000 to not show it to her employer.

So, good employee that she is, she sent this demand on to her boss and also the videos. She still does not know how they got this stuff (obviously some software that installed on her home pc recording screen and key presses etc), but she has basically been put on leave pending disciplinary action and she is afraid they may go further.

There were other threats from the hackers too that I wont go into here, as they are nothing to do with her job.

Anyone know what she can do here?
Ive told her to have her laptop wiped for a start and start as a fresh one.
But she is more concerned that her employer may fire her or even stop paying her for a while until they let her back to work.
This is obviously going to cost the employer a lot and they have to go to all clients where data may have been compromised and come clean too, so understandably they are pissed, but working in IT myself, I know for a fact that this could happen to anyone at any time, especially when using home equipment.

Oh and her employer wants her personal laptop too to examine. Obviously she has stuff on this she doesnt want her employer (or anyone else) digging into as well.

28-05-2021 12:35pm

I feel like there's more to this.

JimmyVik · 28-05-2021 12:40pm

Deleted User wrote: »

I feel like there's more to this.

There is. But its not for this thread.

Essentially they have threatened to contact everyone she ever moaned about in her emails. And knowing her, that is a lot of people

Probably including myself

Shes more concerned about work though.

I definitely wouldnt be giving my laptop up for forensic examination by my employer.

28-05-2021 12:44pm

JimmyVik wrote: »

There is. But its not for this thread.

Essentially they have threatened to contact everyone she ever moaned about in her emails. And knowing her, that is a lot of people Probably including myself

Shes more concerned about work though.

I definitely wouldnt be giving my laptop up for forensic examination by my employer.

I'd say she should talk to a solicitor who has experience in tech or something.

Tzardine · 28-05-2021 12:45pm

Unless she broke a specific rule of her employment then she has nothing to worry about.

TBH the employer should have provided her with a suitable, secure machine if she is working at home.

If she was working on a personal computer, did they provide security measures for her (antivirus/antimalware/VPN) If not then they can do SFA.

Xterminator · 28-05-2021 12:45pm

looking at it from he employers point of view, she has compromised the employer, and allowed an unquantified amount of data to be obtained by the hacker.

she should do everything in her power to assist the employer quantify the damage and the risks. and that does include allowing a forensic examination of the laptop. I assume your friend is not a forensic computer analyst, so she should allow the employer to get someone who is qualified involved.

she may not have wanted to intertwine her personal data with work data - but that ship sailed already.

Legally as long as she has operated in good faith, she is probably not going to lose her job. thats the good news. Unless she has deliberately circumvented company security policy, she is alos a victim here.

theteal · 28-05-2021 12:47pm

Employer cheaping out and not providing kit. What kind of security and awareness training have the provided?

Citrix is fine for getting secure access for the most part but users home kit cannot be trusted in the slightest. The employer won't be without responsibility here.

Dyr · 28-05-2021 12:49pm

JimmyVik wrote: »

, especially when using home equipment.

.

That will be what hangs her, if she was provided with equipment by her employer and then used her own she's fairly goosed.

JimmyVik · 28-05-2021 12:51pm

Xterminator wrote: »

looking at it from he employers point of view, she has compromised the employer, and allowed an unquantified amount of data to be obtained by the hacker.

she should do everything in her power to assist the employer quantify the damage and the risks. and that does include allowing a forensic examination of the laptop. I assume your friend is not a forensic computer analyst, so she should allow the employer to get someone who is qualified involved.

she may not have wanted to intertwine her personal data with work data - but that ship sailed already.

Legally as long as she has operated in good faith, she is probably not going to lose her job. thats the good news. Unless she has deliberately circumvented company security policy, she is alos a victim here.

To be fair I dont think she did anything differently to what anybody else would do when working from home.
But personally, I would never hand my laptop to anyone, for any reason.
Just think of all the information that could be taken from your laptop about you.

I also think she is safe enough in her job, just dont know how the employer will react if she says they are not getting her laptop.

I think i'll tell her to say she took a sledge hammer to it and it is now in a million pieces at the dump.

1hnr79jr65 · 28-05-2021 12:52pm

I suppose to be able to give any sort of advice, then i would ask the following

1. Is this person using their own computer for work related activities or using a work provided system?
2. If own computer was this approved by company, does she have proof of this, what is the policy?
3. Has anyone else had access to her system?
4. How secure is her home modem?

In relation to work examining her own personal computer, i would be denying access on basis its not work property and also consulting a solicitor on the situation, especially if termination is a possibility.

As for pay, far as i am aware they must pay her while under investigation/suspension however i am open to correction on this.

And she needs to document everything that has happened and going forward.

JimmyVik · 28-05-2021 12:52pm

Bambi wrote: »

That will be what hangs her, if she was provided with equipment by her employer and then used her own she's fairly goosed.

Not provided with company equipment at all. Most people working from home now are not doing so via company equipment.

JimmyVik · 28-05-2021 12:54pm

Sour Lemonz wrote: »

I suppose to be able to give any sort of advice, then i would ask the following

1. Is this person using their own computer for work related activities or using a work provided system?
2. If own computer was this approved by company, does she have proof of this, what is the policy?
3. Has anyone else had access to her system?
4. How secure is her home modem?

In relation to work examining her own personal computer, i would be denying access on basis its not work property and also consulting a solicitor on the situation, especially if termination is a possibility.

As for pay, far as i am aware they must pay her while under investigation/suspension however i am open to correction on this.

And she needs to document everything that has happened and going forward.

Answers

1. Logging from own laptop in via browser and citrix fob to employer network.

2. Nobody was given work equipment to use to work from home.

3. All of her family use the laptop.

4. Home modem is the standard vodafone modem.

Tzardine · 28-05-2021 12:55pm

She should wipe (properly) the laptop and hand it to them for inspection. THB the employer is not interested in her personal info anyway, they are just trying to establish what happened and how exposed they are.

She can then say that she complied with the request to provide it - even though she is unlikely to be obliged to do so.

She can just say that she was advised to wipe the laptop in case the hackers still had access to her personal information.

statto25 · 28-05-2021 12:55pm

JimmyVik wrote: »

Not provided with company equipment at all. Most people working from home now are not doing so via company equipment.

Shes has been working on sensitive customer data on a personal machine? Employer has a lot of responsibility there. I take it if she is using citrix she is accessing a file share or a system located in head office/data centre? Again, allowing a personal machine direct access to any corporate system is madness and a clusterfcuk waiting to happen

clog · 28-05-2021 12:57pm

JimmyVik wrote: »

Not provided with company equipment at all. Most people working from home now are not doing so via company equipment.

Have you any evidence for this statement?

Anyone I know working from home is using work supplied IT equipment.

Mrs OBumble · 28-05-2021 12:57pm

JimmyVik wrote: »

Most people working from home now are not doing so via company equipment.

I do not believed that is correct.

Damien360 · 28-05-2021 12:58pm

JimmyVik wrote: »

Answers

1. Logging from own laptop in via browser and citrix fob to employer network.

2. Nobody was given work equipment to use to work from home.

3. All of her family use the laptop.

4. Home modem is the standard vodafone modem.

Employer hasn’t a leg to stand on. Expecting their corporate network to remain secure while asking/allowing an employee dial in from any old pc is beyond stupid. They should have provided a secure laptop to the employee if they want people to work from home.

Jequ0n · 28-05-2021 12:58pm

JimmyVik wrote: »

Not provided with company equipment at all. Most people working from home now are not doing so via company equipment.

This is the first time I hear of a company not providing tech equipment basics such as a computer.

Tzardine · 28-05-2021 12:59pm

Mrs OBumble wrote: »

I do not believed that is correct.

I think they mean in that particular organisation.

irelandrover · 28-05-2021 1:00pm

clog wrote: »

Have you any evidence for this statement?

Anyone I know working from home is using work supplied IT equipment.

Mrs OBumble wrote: »

I do not believed that is correct.

i assumed he's talking about this company. Not everyone working at home.

statto25 · 28-05-2021 1:00pm

Mrs OBumble wrote: »

I do not believed that is correct.

We allow folks use a personal machine and VPN but only for RDP access to a remote machine. Allowing personal machines direct access across VPN is the same as allowing them bring it into the office and plug it straight into the network. Id believe companies are allowing it though. Many were caught out badly in the first lockdown in terms of having enough equipment and allowed personal machines to be used

1hnr79jr65 · 28-05-2021 1:01pm

JimmyVik wrote: »

Answers

Then i would say that total liability falls to the employer for failure to provide adequate resources to perform her work with customer data integrity in mind. It is likely someone in the family could be playing games or something else which exposed the computer to risk.

I would again go with refusing to hand over the laptop as it is personal property, however as others have stated a full format would be in order and contacting a solicitor about the emails as this could harm her. But do print out any relevant emails and such and have multiple copies before clearing the ssytem.

JimmyVik · 28-05-2021 1:03pm

Tzardine wrote: »

She should wipe (properly) the laptop and hand it to them for inspection. THB the employer is not interested in her personal info anyway, they are just trying to establish what happened and how exposed they are.

She can then say that she complied with the request to provide it - even though she is unlikely to be obliged to do so.

She can just say that she was advised to wipe the laptop in case the hackers still had access to her personal information.

Good plan.
I might put a brand new hard drive in it and take out the original one before she does that. As you say she can say she was advised to wipe.

Or she can just say its her husbands laptop and he says No.

NickNickleby · 28-05-2021 1:03pm

JimmyVik wrote: »

This is a bit of a long story but I will shorten it as best I can. Maybe someone can offer some advice.

.......... but she has basically been put on leave pending disciplinary action and she is afraid they may go further.

There were other threats from the hackers too that I wont go into here, as they are nothing to do with her job.

Anyone know what she can do here?
Ive told her to have her laptop wiped for a start and start as a fresh one.

If its her personal home computer, she can do whatever she wants to it. If its the employer's computer, then she can't wipe it. But she should not connect it to the Internet again until its cleaned up. However:

If its her own personal computer, her employer failed to protect his data. Even if she was given antivirus software, its still a risk and if stuff is THAT important, then the employer should have provided a secure device dedicated only to work.

In the event that the employer has allowed her to connect to the work network using her own computer, she should contact a solicitor immediately with a view to bringing the roof down. Demand immediate reinstatement of her job and pay.

If she was using a work computer, it gets more difficult, but the onus is still on the employer to provide the means to prevent hacking (limited though they are). If the hacking was on a work computer: was it properly protected, was she instructed on what she could do on it (eg no private emails, etc)?

Either way; solicitor immediately. She has been 'charged' with a sackable offence. People in the company are now crapping themselves, determined to blame her for their (possibly) shortcomings.

In case I didn't say it already: Solicitor. Now.

AndrewJRenko · 28-05-2021 1:04pm

Bambi wrote: »

That will be what hangs her, if she was provided with equipment by her employer and then used her own she's fairly goosed.

Why would the employer be providing her with a Citrix account and Citrix access if she's not supposed to be using it?

Lots of exposure for the employer here - not providing equipment, not training staff.

On the question of inspecting her laptop. she could offer to allow it be inspected by an independent expert who guarantees not to compromise her and her family's personal data, rather than handing it over.

Unless the employer happens to have deep expertise on staff, they're not going to be able to do much anyway.

lawred2 · 28-05-2021 1:04pm

clog wrote: »

Have you any evidence for this statement?

Anyone I know working from home is using work supplied IT equipment.

Me for one and all my colleagues

JimmyVik · 28-05-2021 1:06pm

irelandrover wrote: »

i assumed he's talking about this company. Not everyone working at home.

Ive been working in IT for about 25 years.
Most of my friends are in IT.
Most of us use our own equipment when logging in from home.
Also most people I know of use personal equipment and log in via VPN when WFH.
In fact that is by far the most common way of enabling WFH in companies.

It is though as someone else pointed out a national clusterfcuk waiting to happen

lawred2 · 28-05-2021 1:11pm

JimmyVik wrote: »

Ive been working in IT for about 25 years.
Most of my friends are in IT.
Most of us use our own equipment when logging in from home.
Also most people I know of use personal equipment and log in via VPN when WFH.
In fact that is by far the most common way of enabling WFH in companies.

It is though as someone else pointed out a national clusterfcuk waiting to happen

Yeah we're a software company.. all using our own devices logging in over VPN using 2FA

eusap · 28-05-2021 1:13pm

statto25 wrote: »

We allow folks use a personal machine and VPN but only for RDP access to a remote machine. Allowing personal machines direct access across VPN is the same as allowing them bring it into the office and plug it straight into the network. Id believe companies are allowing it though. Many were caught out badly in the first lockdown in terms of having enough equipment and allowed personal machines to be used

I fail to see the difference here, you allow a VPN to your network, if they are accessing RDP or a File Share directly they are on the same network? Why do you think one is safer than the other?

JimmyVik · 28-05-2021 1:16pm

eusap wrote: »

I fail to see the difference here, you allow a VPN to your network, if they are accessing RDP or a File Share directly they are on the same network? Why do you think one is safer than the other?

Using VPN and something like citrix you cant even copy and paste.
No info goes past the browser to the internal network apart from mouse clicks and key presses. Its safe in that way.
The was the one in the OP has been compromised is that the screen on the home laptop has been recorded.

Simple, but brilliant, from a ransomware point of view. And probably one that a lot of companies are not even aware could happen.

NickNickleby · 28-05-2021 1:18pm

Jequ0n wrote: »

This is the first time I hear of a company not providing tech equipment basics such as a computer.

Well, there you have it. There's a first time for everything.

I know a handful of people who are using private pc's to access work. Some of them are large employers who should know better, I was surprised. My own job required me to work remotely as far back as the 90's and I wasn't allowed to use a private pc. I was given a Toshiba laptop which was almost as heavy as a bag of spuds:pac:.

bnt · 28-05-2021 1:19pm

Jequ0n wrote: »

This is the first time I hear of a company not providing tech equipment basics such as a computer.

I work in IT for a company where we do provide the kit, but I have wondered about the kind of setup described by the OP, since it would make our lives easier. Or not.

The Citrix window is a “sandbox”, and you can’t transfer any information in either direction, but this case demonstrates that it’s still possible to have a data leak from screen / keystroke recording. So, if I’m asked about this kind of thing in the future, I know what to say … :eek:

purifol0 · 28-05-2021 1:23pm

statto25 wrote: »

We allow folks use a personal machine and VPN but only for RDP access to a remote machine.

This would not prevent screen recording on their personal laptop.

My 2c on the whole thing is that companies should be issuing laptops. People using their own broadband is fine though.

My users are not allowed use their own devices (signed AUP) and I have implemented technical controls to prevent that.

If an employee tries and succeeds to use their own equipment and disaster strikes, that should be on their heads, and the company should have got them to sign an AUP before remote working

https://whatis.techtarget.com/definition/acceptable-use-policy-AUP

Accidentally · 28-05-2021 1:23pm

JimmyVik wrote: »

Ive been working in IT for about 25 years.
Most of my friends are in IT.
Most of us use our own equipment when logging in from home.
Also most people I know of use personal equipment and log in via VPN when WFH.
In fact that is by far the most common way of enabling WFH in companies.

It is though as someone else pointed out a national clusterfcuk waiting to happen

Sorry Jimmy, but that's just your experience, it does not make it a fact. There are a huge number of people working from home on company provided equipment. Any CISO that allows private PCs as the company default, needs their head examined.

c.p.w.g.w · 28-05-2021 1:25pm

Mrs OBumble wrote: »

I do not believed that is correct.

A buddy of mine, who work in the banking sector, is using his personal laptop as the employer won't provide him his own...

He logs in via a VPN and other such tools, but can't imagine its the most secure

NickNickleby · 28-05-2021 1:26pm

bnt wrote: »

I work in IT for a company where we do provide the kit, but I have wondered about the kind of setup described by the OP, since it would make our lives easier. Or not.

The Citrix window is a “sandbox”, and you can’t transfer any information in either direction, but this case demonstrates that it’s still possible to have a data leak from screen / keystroke recording. So, if I’m asked about this kind of thing in the future, I know what to say … :eek:

precisely - the possibility of a miscreant videoing you while you work, except he doesn't have to be behind you.

My first instinct is to ask "what guarantees the safety of the sandbox?" Wasn't Java out of favour for security holes, even though it sort of uses a sandbox? These are rhetorical questions, I'm curious but don't want to drag the thread away from what is the OP's main concern.

Jequ0n · 28-05-2021 1:26pm

bnt wrote: »

I work in IT for a company where we do provide the kit, but I have wondered about the kind of setup described by the OP, since it would make our lives easier. Or not.

The Citrix window is a “sandbox”, and you can’t transfer any information in either direction, but this case demonstrates that it’s still possible to have a data leak from screen / keystroke recording. So, if I’m asked about this kind of thing in the future, I know what to say … :eek:

Yes very surprising. Tbh I refuse to mix my personal and private life and would not dream about this setup. I never heard of such lax security measures.

some random drunk · 28-05-2021 1:29pm

Well this is an interesting thread. The large multinational I work for has thousands of employees across the globe logging in from their own personal laptops via Citrix. No equipment was provided unless an employee did not have a personal laptop, ie only in rare cases.

With regards to the OP, there's absolutely zero chance I'd be turning over a personal laptop to my employer to examine.

purifol0 · 28-05-2021 1:36pm

Accidentally wrote: »

Sorry Jimmy, but that's just your experience, it does not make it a fact. There are a huge number of people working from home on company provided equipment. Any CISO that allows private PCs as the company default, needs their head examined.

Agreed. That said I'm the Sys Admin but the head bean counter overrules me every time. I can understand companies saving a few bob by going this route, but if IT has warned them of the risks eg users personal machine is compromised or employee is using their phone to take photos of customer data. Then the company haven't a leg to stand on.

kirving · 28-05-2021 1:37pm

My employer takes IT security ridiculously seriously, (and sometimes I wonder if all of these security measures actually cost more than downtime due to a virus!), but a large company not providing employees with laptops, 15 months into a pandemic is absolutely beyond comprehension from a security point of view.

It's only a matter of time before an employee's PC is compromised for some reason or another.

hmmm · 28-05-2021 1:43pm

bnt wrote: »

I work in IT for a company where we do provide the kit, but I have wondered about the kind of setup described by the OP, since it would make our lives easier. Or not.

The Citrix window is a “sandbox”, and you can’t transfer any information in either direction, but this case demonstrates that it’s still possible to have a data leak from screen / keystroke recording. So, if I’m asked about this kind of thing in the future, I know what to say … :eek:

Lots of companies do the same, and that's much the point of Citrix. This is an interesting new attack, and to be honest the first I've heard of it (outside of "theory"), with some interesting implications for a lot of companies.

NickNickleby · 28-05-2021 1:45pm

Covid-19 strikes. SME's suddenly find themselves forced to accommodate WFH.

Beef up their infrastructure to support remote access. Broadband/Citrix Servers licences

Provide people with means: Citrix clients

deploy all this.

Money, money, money. Now add dedicated WFH pc's versus Citrix clients. Well, for some there may be no money left, so personal pc and Citrix Client it is, so.

Alternatives : demand new WFH PC's * for as many people as we can afford, then put the rest on PUP. Not so easy now, is it? Especially as dropping people will most likely have a negative impact on the bottom line.

That's why I believe there'll be plenty of people in the same boat as the OP's friend.

purifol0 · 28-05-2021 1:45pm

some random drunk wrote: »

Well this is an interesting thread. The large multinational I work for has thousands of employees across the globe logging in from their own personal laptops via Citrix. No equipment was provided unless an employee did not have a personal laptop, ie only in rare cases.

With regards to the OP, there's absolutely zero chance I'd be turning over a personal laptop to my employer to examine.

Yeah that's the crux of it.

A selling point of citrix and its competitors is that employees don't need to be given laptops - you can use any computer or phone even if theyre are underpowered or old. This does not prevent data leakage via screen recording at all. It is often used in conjunction with other software that will check if certain programs are running but thats no guarantee.

I don't believe an Employer has the right to get you to hand over personal devices, and as others have said unfortunately you may need to get legal advice.

First thing is to make sure you didn't sign anything that says otherwise.

SteM · 28-05-2021 1:48pm

clog wrote: »

Have you any evidence for this statement?

Anyone I know working from home is using work supplied IT equipment.

The opposite for me tbh.

Dyr · 28-05-2021 2:00pm

JimmyVik wrote: »

Not provided with company equipment at all. Most people working from home now are not doing so via company equipment.

In that case I'd tell them to go and take a hike.

BorneTobyWilde · 28-05-2021 2:01pm

All hackers couldn't careless about the data they've stolen, it's all just gibberish to them, they just use it as leverage to obtain money.

How does hacking even work, is it always the case they have to be invited on to the network, like a vampire always needs to be invited into your home.
They could call it vampiring , not hacking.

plodder · 28-05-2021 2:12pm

I'm amazed that companies allow employees to use personal laptops as the general policy. If there weren't enough laptops to go around when lockdown started, why didn't they send people's desktop PCs home then? The employer doesn't have a leg to stand on here, if it's as reported.

NickNickleby · 28-05-2021 2:18pm

plodder wrote: »

I'm amazed that companies allow employees to use personal laptops as the general policy. If there weren't enough laptops to go around when lockdown started, why didn't they send people's desktop PCs home then? The employer doesn't have a leg to stand on here, if it's as reported.

Excellent point, (and it hadn't occurred to me, and there's me laying people off all over the place:eek::pac:)

JimmyVik · 28-05-2021 2:26pm

Accidentally wrote: »

Sorry Jimmy, but that's just your experience, it does not make it a fact. There are a huge number of people working from home on company provided equipment. Any CISO that allows private PCs as the company default, needs their head examined.

I have many tens of thousands of hours experience in the business with a hell of a lot of external companies. This is my experience.

Its a fact.
Does it even matter though tbh?

Ms. Newbie18 · 28-05-2021 2:27pm

JimmyVik wrote: »

Answers

1. Logging from own laptop in via browser and citrix fob to employer network.

2. Nobody was given work equipment to use to work from home.

3. All of her family use the laptop.

4. Home modem is the standard vodafone modem.

Her employer cannot do anything to her as they did not provide her with the equipment to do her job safely. They also have zero right to her home laptop.

On a side note, did her employer provide any training re phishing emails?

Things like this are why I insisted on my employer providing me with a laptop before heading home. They have installed security etc and so it should be safe as can be; its also not completely infallible.

Jequ0n · 28-05-2021 2:30pm

Ms. Newbie18 wrote: »

Her employer cannot do anything to her as they did not provide her with the equipment to do her job safely. They also have zero right to her home laptop.

On a side note, did her employer provide any training re phishing emails?

Things like this are why I insisted on my employer providing me with a laptop before heading home. They have installed security etc and so it should be safe as can be; its also not completely infallible.

Tbh the employee doesn’t seem the full shilling either given her sudden realisation that emails might be archived/ accessible.

Home worker caught by ransomware attack. Employer furious

Comments