Background
Quote from https://status.finalsite.com
The Finalsite security team monitors our network systems 24 hours a day, seven days a week. On Tuesday, January 4, our team identified the presence of ransomware on certain systems in our environment. We immediately took steps to secure our systems and to contain the activity. We quickly launched an investigation into the event with the assistance of third-party forensic specialists, and began proactively taking certain systems offline.
Quote from bitdefender
For two days, the firm used its status page to keep clients in the loop about its progress in restoring functionality, only to admit on Thursday that it had suffered a ransomware attack – and knew about it, but kept it a secret as investigations were still ongoing.
Let's do some investigations and share some evidence we got from the websites under the influence.
Investigations
World wide schools paid thousands of US dollars for annual service fee to have a "PREMIUM" level website. Yes, the Finalsite does fancy look for the schools which wired double or triple money to the Finalsite savings. But since Tuesday, January 4, the functionality of more than 1,000 school websites has ceased to work caused by a kind of ransomware. No one is able to login their "own" official site and no one is able to make some effort and try to protect their thousands of user account information stored in the Finalsite database.
According to the conditions and updates from https://status.finalsite.com. These potential issues which the Finalsite never got improved or considered.
I. No Standalone Web Server for Each Site
The first report is about account login failures. Frontend is mostly built or generated as static HTML files. We picked one school website from the Finalsite portfolios and got this result:
The screenshot is showing us the Finalsite is using CloudFront provided by AWS. It's a content delivery network service. That's why all static pages are still accessible. If you know programming, both user Login/Logout are controlled by program. The code is in charge of verifying credentials and getting the user actions authorized or denied. This is the first evidence we got because of the function issue. It sounds like one person made a mistake and got ransomware injected by chance. Ooops, the other accounts stopped working all together. It means each school site was not isolated. The affected school sites were all running on a shared server. Finalsite really did a good job for saving money.
III. Backup is NOT Working
Now let's forget the point above and do another investigation. Most world famous cloud service vendors had replaced the traditional hard drive with solid state drive (SSD) for storage. Because of the bottle neck of read/write performance is having huge difference. Of course, there is extra fees billed unless the cloud users consider cost more than performance. Each site which had SSD configured can be restored from the proper restore point within 10mins. One Finalsite tech staff could restore all the broken sites in 10,000mins. Literally Finalsite has over 2,000 staff, 0.1% could work in parallel for tech. The reality is the sites have stopped working for over 2 days.
Why Finalsite still keeps secrets? Are they still working on the comparison between the doubled cloud services cost and ransom? No body knows.
