It was a sunny Thursday afternoon in June of 2019 when one of our customers reached out to us with a problem that would end up consuming all our time and plunge us into the underworld of a ransomware attack.
“Our customer called to describe what was going on with his computer: all his files had a weird long extension at the end of their file names, and he could not open any of them” said Joaquin, Empowered IT Solutions President. “Right away I knew they had been hit by ransomware. Then another customer called me and all I could think of was ‘this can’t be happening… not to us’.” But it did. It happened to us just as it also happens to hundreds of other businesses.
These cyberattacks happen every day. Whether via a phishing email campaign or a software vulnerability in a targeted strike, hackers have picked up the pace of ransomware attacks. Ransomware infects more than 100,000 computers around the world every day and payments are approaching $1 billion as stated by the U.S. Deputy Attorney General Rosenstein citing FBI statistics. It is a growing and highly profitable business for cybercriminals.
In our case, the attack was launched in the late afternoon, with only a couple of hours left of business time. The first thing we did was connect with our Security Operation Center (SOC) to initiate our incident response plan. Our engineers in coordination with the SOC started the containment phase of the plan: disconnecting everyone affected from the internet and changing every single password on all servers, computers, and systems. While this is happened, the SOC started a forensics investigation to find the source of the attack. This phase was crucial as we had to identify and close the vulnerability so the attacker would not be able to cause further damage or come back for a repeated hit.
Luckily, the customers that had servers covered by our Backup and Disaster Recovery (BDR) system were able to keep their business functioning. The BDR is a ransomware proof solution that backs up whole servers where backups are performed and encrypted every hour and then saved locally in the BDR device as well as in the cloud for redundancy. The BDR essentially creates a healthy copy of the servers. How did this help? It helped ensure an efficient recovery process by virtualizing the healthy server backups, but don’t take it from us, read a first-hand experience from one of our affected customers:
Unfortunately, those customers that failed to employ a BDR system encountered a very disruptive, costly, and frustrating recovery process. They had to deal with ransomware negotiations, loss of data, and excessive business downtime. In their case, we assisted with the ransomware hacker negotiations through the dark web to obtain the decryption keys required to regain access to the encrypted business-critical data. Even then, countless hours of manual effort were invested to reinstate systems.
By the end, hundreds of computers were checked and sanitized of any sign of ransomware. Bare-metal restores were performed from all the virtual servers to get customers back to normal operations. Our team worked 72 non-stop hours to be able to restore customers’ systems. The rebuilding tested our strength and responsive attitude– proving that our solutions and team of experts are reliable, efficient, and can be trusted.
The following Monday, all our customers were up and running with business as usual. At this point, our SOC finished the digital forensics to identify the method and entry point used by the cyber-attacker. Our SOC discovered the vulnerability that was exploited by Sodinobiki, a group of cyber-criminals in the business of offering ransomware-as-a-service to threat groups also known as REvil. This same type of ransomware had been used against other major organizations like JBS foods, which caused major disruptions in the meat processing industry. Luckily, Russia’s Federal Security Service arrested members of this group earlier this year after pressures from the USA .
You may ask, why are we sharing such a vulnerable story to the public? Because it is our belief that the more businesses know about this very real cyberthreat, the better they will know how to protect themselves. The takeaways from our ransomware experience are the following:
- Essential to have a robust Incident Response Plan that helps a team of experts and the affected organization to focus on the most effective process to resolve the incident.
- Fundamental to have a robust cybersecurity protection system monitored and managed by a team of experts to prevent an incident rather than have to remediate.
- Indispensable to implement a reliable backup and recovery system. Reliable and tested because to ensure it isn’t corrupt when needed.
- Imperative to educate employees on cybersecurity so they can protect the business, employ all best safety practices, and know when to report an incident.
Whether you need help creating an incident response plan, applying a backup & recovery system, or handling a ransomware attack, our team is knowledgeable and able to help with all your cybersecurity needs. We’ve been there and can help you maneuver any cyberthreat, call us today.