September 24, 2020



One thing you don’t really hear about in the news, or on the streets, is how often banks and their internal divisions are targeted, and even held to ransom, by malicious attackers.

The modern bank job doesn’t look like a heist film. It’s not balaclavas or shotguns, nor is the robber required to even be in the country.

I was working for the business banking division of a “big bank”, running my section of the annual Saturday disaster recovery drill for our team. I had arrived early to plug in and set up, but was informed upon entry by the overnight security guard that all the computers had locked up. My first thought—is this part of the scenario—is it a test? My second, which I concurrently blurted out—“What do you mean ‘locked up’?”

I expected the BSOD as he buzzed me through, and around behind the security desk. It smelled like feet back there—oddly enough, not /his/. I decided better not to ask about it, in case it was one of the things that the rotating shift of security guards argued about. What I saw instead of a blue screen was a yellow box, with a poorly formatted ASCII image of a donkey, and a written demand to send 500 Bitcoin to an address which was also provided in the graphic.

I asked the security guard, who it’s pointless to name this far into the story, but let’s just say Clive, how many computers this was appearing on. He said all of them. The whole building. The fifty or so desktops in our disaster recovery centre—located in an older bank branch that had been closed down, and now housed offsite backup servers, with a handful of resident employees, working on sensitive matters—had all woken, rebooted, and now displayed the same shitty graphic demanding 500 BTC, which at that time was worth about a hundred US Dollars.

After briefly considering whether anyone thought to create a secret disaster recovery recovery site, I called around to cancel the drill, and liaised all day instead with the bank’s internal security team to diagnose the other machines, formatting any not containing needed data.

The servers were a whole other animal, though. A crack team of sysadmins who were normally tasked with administering the bank’s backbone of transactional banking infrastructure arrived over the course of the day to assess the situation. By around 6PM, they’d determined that it wasn’t possible to back up vital data on the servers located onsite, and each of the 600 or so virtual machines running on hardware there contained a different Bitcoin address—meaning that if the bank chose to pay the ransom, it would do so at least 600 times to unlock everything, at this site alone. Word was coming in that it had happened to older machines at other sites, but we wouldn’t have a bigger picture of most locations until Monday morning.

After their team leader ran it up the chain that we were entirely out of options—pay, or lose data that may or may not be backed up elsewhere—we all went to dinner. Some of the admins were nervous that the exec level wouldn’t understand the scenario, and would ask them to perform further troubleshooting. Others were excited by the prospect of redundant overtime.

We waited long into the night and heard nothing, so eventually I went home, wondering if I’d be paged Sunday, and if not—what kind of shit show Monday would be for the IT department overall.

Sunday came and went without a call, and when I returned Monday, all was uncomfortably well. Did I dream it? No, my pockets were still full of biscuits I had commandeered from the tea room. My team leader had heard nothing from higher up, only that the matter was “resolved” Sunday without further incident.

Obviously I called one of the specialist sysadmins who had stayed back to wait for the answer. He only said that he couldn’t discuss it. I asked him if the servers were functioning at the DR site, as I needed to know from an operational standpoint. He said, “Yep.”
I asked, “So did we lose data?”
He said “No, all good here.”
He seemed to sense me frowning at my phone. He sounded like he was smiling, but trying not to, while holding an apple near his mouth, impatient to get off the line and eat it. Also he had a curly brown beard, if that helps paint the picture.
I asked, “Did we pay 500 Bitcoin to have the machines unlocked?”
He said, “No,” then paused. He added, “Theoretically, if we only payed 500, we’d only have one machine back.”
I asked, theoretically, if the bank would have to buy that much Bitcoin to pay the ransom, or “would it already have a stash?”
He hung up without saying anything else—even goodbye—leaving it unclear if he was trying to imply that the bank was already into Bitcoin, or simply utilising the baseline social toolbox of your average IT professional. Hours later, I purchased my first 50 Bitcoin, just in case.