An organization contacted Invision when their network was infected by a ransomware virus. A demand for money in exchange for getting their data back was displayed on every computer screen. Unfortunately, the hacker also attacked the network storage device they used to back up their data, so it was useless in restoring their system. Invision not only saved this company from paying a large ransom, but also restored the entire network with data intact within one business day. Had the organization only had the usual network storage device set up, restoration without the ransom wouldn’t have been possible.
The Data Hostage Situation
The organization has a typical IT setup. Like many other office environments across Kansas City, the network consists of a server, several workstations, some local and some cloud-based software programs, such as Microsoft and Creative Cloud.
A virus entered and spread throughout the organization’s network, encrypting its data and leaving it inaccessible to any staff member. A ransomware demand displayed on every workstation screen with:
- Ways to contact the hacker to find out the ransom amount
- And a sales pitch to encourage the organization to purchase the malware program used to infiltrate their network should the organization be interested in hacking others
The organization contacted Invision for emergency IT support and network restoration services from a backup that was put in place in case a disaster recovery was ever needed. Once an organization’s network data is encrypted and held for ransom, there are only two options. One, pay the ransom and hope for the encryption key in return. Two, already be prepared to restore the network with a tape (air-gapped) backup.
Assessing Data Recovery Sources
This organization followed a double data backup protocol. Data was saved to a storage device attached to the network, plus on a tape (air-gapped) machine. Invision’s Tim Blakley assessed the local disk first, which was a no-go. Since it was connected to the network, the virus spread to it, rendering it useless for disaster recovery.
The tape, thanks to the way it saves data, was the only viable solution to avoid paying the ransom and getting back to business as usual. Air gapped backups are an organization’s fail-safe way to avoid ransoms and the chaos that ensues after an attack. Once data is on a tape and that tape is physically removed from the drive, it’s impossible for a virus to infect it.
Fortunately, this organization followed best practices on air-gapped backups. The tape backup had finished hours prior to the virus infiltration, which was particularly fortunate since the malware infected the backup software, too.
Executing a Data Restoration Plan
Had there been no way to restore the data, the organization’s only option was to pay the hacker’s ransom. Blakley, knowing an hours-old tape backup existed, knew there was no need to contact the hacker.
Work to rebuild the server and repair the damage done began. But first, Tim repaired the backup software, which was needed to restore data from the tape. Approximately 8 hours later, the organization’s server was restored to pre-ransomware attack level. The next morning, all the workstations were repaired. Total time down: 1.5 business days, compared to ZDNet’s reported average of more than 16 days.
Ransom demand amounts are on the rise, with the average payment doubling from $41,198 between July and September to $84,116 for the period between October and December in 2020. Even though the organization did have to pay for emergency disaster recovery, the amount was far, far less than what ransom would have been, saving tens of thousands of dollars and hundreds of hours in time lost, not to mention business.
Key Takeaways for Ransomware Attacks
“Plan for the inevitability of ransomware attacks on your network. It’s the big corporations in the news, but hackers are successfully attacking small and mid-sized organizations every day, even companies with in-house IT departments and network security staff.” Tim states, “Hackers are not hacking servers, rather they’re gaining access via end users. AKA: company employees. It used to be that once hackers were in a network, they’d encrypt the data, collect the ransom, and be gone. Now, they’re snooping around, disabling antivirus software and changing backups.”
The two most effective ways to protect a company’s network from ransomware attacks are:
- Two-factor authentication, which adds a layer of protection between weak passwords and access to your network. It involves entering a code sent via text or email to allow access.
- Air-gapped backups, which save data on a physical tape, and once removed from the device, cannot be corrupted by malware.
“In this organization’s case, we’re relatively certain that the hacker entered via an end-user who likely used the same password or a close derivative across accounts. For example, “Pumpkin21” for one account and “Pumpkin20” for another. The ransomware worked, but so did the organization’s air-gapped backup. Had two-factor authentication been in place, perhaps the malware wouldn’t have gotten as far as it did. Business owners should assume their data will be held for ransom and put two-factor authentications and air-gapped backups in place now,” says Tim.