Mr. Robot hacked you. Now what?

Take it from Mr. Robot himself “the devil is at his strongest while we’re looking the other way, like a program running in the background silently, while we’re busy doing other sh…” it is the unseen that gets you in the end. We live in the same decade that cybercrime got its own flashing neon sign, the formalisation of a counter culture into a booming illegal industry; pwned bank details for $3 a pop, DDos attacks for $150 a week, malware and exploit kits under $500, crime-as-a-service ransomware into the thousands. Today, to become a hacker, you don’t have to be an awkward, introverted genius with severe daddy issues and a ‘gone fishing’ sign where your eyes used to be, nowadays all you need is a few bucks, a mild dislike for humanity and an internet connection. The victims of cybercrime in 2017 will not be hacked by mask wearing masterminds who drunk the cool aid, there is no manifesto, these days they are coming for your money. Using encrypted communications like Tor to remain hidden, receiving payments in cryptocurrencies like Bitcoin to avoid the paper trail, the dark web has produced its own answer to the start-up boom, a service industry where the ‘business’ picks the ‘customer’. No one is off limits, midsized companies, schools, hospitals, and while California can go ahead and outlaw ransomware, here in the real world the law is unenforceable. In this article we will assume it is not if but when an organisation is compromised, identifying the processes, applications and infrastructure necessary to ensure IT delivery is invulnerable immediately as well as long term. Evil Corp. suck at this by the way.

DDos attack (Distributed Denial of Service)

It has been nearly two years since F Society used a DDos attack on Evil Corp. to mask installing a rootkit on the corporation’s network, along the way we have seen the epic attacks on Dyn and OVH and bad news, there is a Db-Dos hitting you right now. Taking advantage of the network features in your database, attackers flood the pipes with network packets, your equipment is overwhelmed. Check your junk mail, did you miss any threats recently? Or has your competitor hired bot nets on a booter portal? Maybe you’re just a scalp. At this stage, whatever the cause, a self-congratulating smile does a breakdance across your face. As the cost of Amazon Web Services fell in 2016, you already have a cold VM provisioned there, daily asynchronous replication gives you a working, up-to-date copy of your database and you only pay for what you use. Using any (AWS compatible) high availability or unified data protection software, instantaneous failover is as simple as clicking a button. The ability to deliver services from a distinct network circumvents the affected environment and when Amazon runs your DR infrastructure any further DDos attacks are only for the optimistic.

Watch Mr. Robot resolve the F Society DDos attack here, he is forced to manually switch the DNS of the production servers one by one because “the backup server is running but it’s not configured for autoswitch”. It was only episode one and already Evil Corp.’s IT department were looking shaky, see their system admin in the light-blue shirt below, if he looks at me like that one more time I’m running out of the server room operatically screaming for help and wiggling my arms in the air.


We all remember when F Society infected Evil Corp.’s client machines with ransomware, it seemed a little harsh at the time because the same hackers had encrypted all of the corporation’s customer data only a month before, but if you’re going to call yourself “Evil Corporation” I guess you’re asking for it. In their case, they caved and sent their CTO to deliver 5.9 million dollars, yes that was him you saw in the news, the guy standing next to a burning pile of money. How generous are you feeling today? Your network is locked down, your hardware is wiped and the attacker is only asking a few thousand to sort it out. It is probably Monday. It doesn’t matter. ‘Roll over’ is not one of the tricks you do. “I lose to amateurs” is not your pre-commute mantra. Using a backup solution with powerful in-line deduplication and incremental technology gives you the disk space and the performance to make more frequent backups possible, when the ransomware hits, the distance to your last backup is reduced, the less data is lost. Crucially, you replicate these backups to a separate network, be it on-site, to a remote site and/or to public cloud. Seconds into the attack, you already have access to a fully working backup, and depending on your software you can stand up VMs in minutes, or for unified solutions that include high availability, you can use automatic failover for immediate recovery.

According to their CTO, this is how long it takes Evil Corp. to come back from ransomware…

Exploit kits

Counting on a gullible employee to happen upon a USB drive and run the .exe on their office network sounds improbable but it doesn’t just happen in Mr. Robot, recent studies show 48% of people plug in a USB drive they find in a parking lot. Once deployed, an exploit kit gives up command and control to its user, often for highly specific purposes, like right now, you just detected some tell-tale malware on your email server. Cue your personal theme song. By using data protection software that unifies the process, you manage file and image based recovery from the same console as you manage real time high availability: virtual, physical, cross hypervisor, whatever the OS and application. So when you need to wipe a server, the more critical the server is, the faster the RTO you choose, down to milliseconds. In this way, recovery goes beyond using multiple tools, it gives better RTOs and is easier to perform, after all, undoing the attackers work (without effort) is your quiet revenge.


“Hidden within the kernel is a logic bomb, malicious code designed to execute under circumstances I’ve programmed.” The life of a hacker is all sunshine and rainbows. As above, by refining the speed and ease of the restore process, dealing with infected servers becomes run of the mill. By using the latest deduplication technologies, your storage fits more frequent backups and limits data loss while smaller backups are more feasibly replicated across separate networks, off-site and to public cloud. By running your disaster recovery from a separate network the malware cannot spread to corrupt your copies, nor can it interrupt any high availability or instant VMs delivering services from there. I hope you’re sitting down; Evil Corp. never did find the fsociety00.dat malware.

All out annihilation

It’s hard to feel sorry for Evil Corp., even with the combined might of the Dark Army, F Society, Mr Robot and Tyrell aimed at the corporation’s utter destruction, Evil Corp. have made such a dog’s meal out of the basics of backup and availability, this is on them. However, during the hacker’s quest for all out annihilation of Evil Corp., it becomes apparent there are two strands of the corporation’s backup plan that would be unbeatable in the real world. Firstly, Evil Corp. uses replication to cascade its data, sharing multiple copies throughout its datacentres worldwide. As Romero says “So what happens after we hack the New York facility? Then we have to take a trip to Nashville, then Colorado, then San Jose…” It would take a successful, simultaneous attack on all sites. Spoiler alert. In Mr. Robot they pull it off. In the real world, if you use a public cloud like AWS, Microsoft Azure or Arcserve Cloud, your data is protected. Secondly, Evil Corp. still commits its backups to tape, like Google and the National Centre for Supercomputing, besides reducing the cost of long term data retention, possessing an off-line copy is a last fail-safe against data loss in the event of an attack. Spoiler alert. In Mr. Robot they use a Raspberry Pi to hack the temperature controls of Steel Mountain’s tape storage facility, aka they melt the tapes. In the real world, unlikely. Nice save, Evil Corp.

And so…

Mr. Robot said it best: “The world is a dangerous place, not because of those who do evil, but because of those who look on and do nothing.” For a unified data protection solution that delivers on all of the requirements above, join the live demo of Arcserve UDP, every Tuesday at 11am GMT and Friday 10am GMT, click here — ->

Can’t make the timezone? Register for a 1–1 with an Arcserve engineer, click here — →