The Sentinel (Jack Reacher #25) - Lee Child Page 0,56
forehead. ‘Sarah, I love you.’
‘So your system did work?’ Reacher took a sip of coffee. ‘You said it didn’t.’
‘Right,’ Rutherford said. ‘It didn’t.’
‘So why would anyone want it?’ Reacher said.
‘It comes down to the way ransomware works,’ Sands said. ‘Attacks don’t happen all in one go. Imagine a computer network is like an enemy fortress. If you want to capture it you don’t just lob a grenade over the wall and hope the soldiers are all killed. You start by infiltrating your best guy. You smuggle him past the defences and leave him to sneak around inside for a while. Get the lie of the land. Draw maps for when your main force arrives. Find out where all the good stuff is hidden. And see if there are any traps to avoid. In our case, for traps read backups. Backups are kryptonite to ransomware. There’s no point in locking a bunch of data if your intended victim has a clean copy. He’d just laugh in your face. And that’s a big problem because some of these groups are in the game for prestige as much as they are for cash. So if they find a backup – which are usually only connected briefly to capture a snapshot of any recent changes and then get taken offline or even off site for safe keeping – they immediately deploy a special kind of program. A particularly sneaky kind. We call it a trident because it does three things all at once. One, it destroys all the data that’s already been backed up. It’s either wiped clean or replaced with porn or taunting messages, or things like that. Two, it prevents any new backups getting saved. And three, it sends spoof signals to the organization’s management system saying that everything is working OK. That way it avoids alerting anyone to what’s happening and adds to the blow when the main systems lock up and the ransom demand is posted.’
‘But your backups didn’t get wiped,’ Reacher said. ‘Or overwritten with porn. Did they?’
‘No,’ Rutherford said. ‘Something stopped that from happening. But nothing new was saved. And spoof management reports did get sent. That’s why I thought we’d be OK after the attack. And why I was so shocked when we weren’t.’
‘Cerberus interfered,’ Sands said. ‘It broke one spike off the trident. It’s the only explanation. I ran simulations using copies of the most recent ransomware we’ve come across, and here’s where things get interesting for the people who are chasing Rusty. In eight out of nine tests, not only was the existing data untouched, but a fragment of the malicious code was retained on the backup system. It was somehow caught by Cerberus when it stopped the disc from getting wiped.’
‘Enough of a fragment to unlock the town’s computers?’ Reacher said.
‘No,’ Sands said. ‘It doesn’t work that way. But it could reveal who’s responsible. It’s like when a bank robber wears a mask but the security cameras pick up his gang tattoos.’
‘That must be why these guys are trying to get their hands on it,’ Rutherford said. ‘They must have analysed the system maps the ransomware sent back to them. Seen something they didn’t recognize – Cerberus. And figured out what it could do. Maybe put that together with the reports in the press about the old data being the only thing that survived. You should have seen the headlines. Rutherford’s Rusty Ransom Response was my favourite. But we have a different reason to want it. Maybe millions of different reasons. Right, Sarah?’
‘That’s why I’m here,’ Sands said. ‘There’s life in the guard dog yet. It’s not the product we thought it was going to be. It obviously doesn’t prevent ransomware attacks happening. But if it bulletproofs any backed-up data, that’s the next best thing. A lot of organizations would pay a lot of money for that. All we need is the servers you were using. Bench tests are fine, but we need to make sure it really was our system that saved the old data. Not some random malfunction. So let’s go get them.’
‘We can’t get them.’ Rutherford flopped back down. ‘When I thought the system had failed I threw everything in the trash.’
FOURTEEN
Speranski was in his study, looking through catalogues from electrical wholesalers, trying to find the closest thing to a World War II anti-aircraft searchlight, when his secure phone rang again.
‘We were right,’ the voice at the end of the line said. ‘It was an ambush.’