Tales From The Road: Keeping a Business Operational After a Ransomware Attack

How We Got an International Company Back Online After Being Cryptolocked by Ransomware

For a global company, a worst-case scenario is realizing all of your data has been compromised in a ransomware attack and – worse – has been cryptolocked, halting your business in its tracks.

We worked through this exact scenario with an international manufacturing company that fell victim to a ransomware attack through phishing emails that were able to penetrate the network. 

Ransomware is a type of malware that essentially holds a victim’s data hostage, or cryptolocks it, under threats of publishing the data or permanently blocking access to it, typically unless a “ransom” is paid. This type of attack can put a company completely out of business unless data backups are available to restore operations, and the company we worked with was almost unable to recover.

Salvaging Data Through Another Office Location

The ransomware attack on this manufacturing company occurred during the implementation of a new security stack. Their antivirus software flagged the ransomware but was unable to stop it. 

The result was that all backups at all of this company’s offices across the world were cryptolocked, which prevented access to any data to help salvage the business and get operations back online. 

However, one office location had suffered an unrelated internet outage at the time of the attack, managing to avoid any repercussions. Through this one office, we were able to access all the backup data and get the company’s network up and running again. 

How Does a Ransomware Attack Do So Much Damage?

The ability for a ransomware attack to potentially take down a company has a lot to do with how that company is backing up its data. 

Ransomware attacks happen and no organization should operate under a false sense of security that they are immune. The best recourse against any kind of security threat or attack is proper maintenance of your security and your response plan, so if something does happen, you’re prepared to manage it. 

And when we caution that these types of security breaches can happen to anyone, we’re not messing around. Recently, attackers compromised a New York City law firm and accessed 756GB of A-list celebrity data, (think Madonna, Lady Gaga, and Sir Elton John) that includes contracts, recording deals, and other personal information. 

These attacks are like roadblocks to business as usual, and the faster they can be resolved, the better off a company will be. That resolution, however, is completely dependent on your level of preparedness. 

Backup Best Practices

There are many backup vendors who offer effective solutions if followed exactly. But today’s workplace culture has people in the mindset of quick file retrieval, which can lead to some diversion from how the backup solution was intended to work.

Typically, backups are conducted daily to capture day-to-day data changes, and weekly to capture the full week’s changes. Each full week of backed-up data is typically saved and shipped out for storage or, for smaller companies, simply stored offsite under the auspices of the CIO. Backups are generally saved for a certain amount of time and then overwritten with new data when the time is right. 

Protecting Backups Against Ransomware

Ransomware is the biggest threat to companies if their backup system falls apart in any way. These breakdowns can occur right at the vendor level – vendors have begun offering online backups that can be rotated offline, with the intent to help companies store their data more efficiently rather than utilizing an offsite source. The solutions claim to offer fast restoration of data online, and these solutions utilize disconnected share drives, which were undetected by ransomware – until now.

Ransomware, like all virus software, has gotten smarter and can now detect disconnected share drives. If companies make any kind of configuration error when migrating their backed-up data online, that data now exists right on the company’s network – and therefore can be accessed through a ransomware attack. 

The big takeaway here is if you’re going to use online-to-offline storage, never map a hard drive to it because it will put that data back online, making it accessible to attackers. 

Keeping Your Company Safe From Ransomware

A functional disaster recovery and business continuity plan is critical for any company – not every organization is covered for the losses that can be sustained from a ransomware attack, but it’s also the best way to prevent or manage these attacks out of the gate. 

  1. Regardless of what backup solution your company is using, it’s important to maintain best practices and follow the directions to the letter. These procedures can be built right into the design of your backup process so any employee managing data storage and backup can do it properly.
  2. Ensure your company has the right systems in place to prevent a ransomware attack. This is a multi-pronged approach – you want to be sure you have a failsafe on top of the core security solutions you’re already using. 
  3. Always map any product changes to your backup system. If you can’t restore everything, especially newer updates to your organization, you’re facing a serious problem with getting your business back up and running. 

Ideally, your organization would have immediate access to recent backups that could enable you to get back online and back to business right away. Often in ransomware attacks, companies are at a loss for backed-up data and are forced to go back online with months-old data that results in major business setbacks. 

Companies should be especially vigilant during times of overall weakness like the COVID-19 pandemic. Attackers will always take advantage of situations where employees or organizations as a whole may be more vulnerable, whether due to a situation specific to that company or a national or global issue like the COVID-19 virus. 

Because the manufacturing company we worked with was able to access backups from the single office location, they were able to begin shipping product again in about 4-5 days and were fully back online in about a month. 

We were onsite working with them for about two weeks and continued to support them remotely after that time. 

The amount of damage and time to recover will vary depending on the ransomware attack and the complexity of the system. Given the prevalence of not just ransomware attacks but security threats in general, it is best to have an incident response plan in place to map out a company-wide approach to dealing with a security attack. 

If you would like to learn more about protecting your company’s critical data from the threat of ransomware or any other type of security attack, contact us today.