Data Backups Can Save You Thousands When Ransomware Gets Into Your System.
Nobody ever thinks they’ll be a target of a data breach or be ransomware hostage, but it happens. If this happens to you, take two Advil’s and call me in the morning. I want to tell a quick story of what it looks like when a company or an organization recovers from a breach. A company that thought they had taken the right precautions was using the right technologies.
Remember, your data may not be of great value to the bad actors, but it is important to you. That should be your motivation to learn from this article and take appropriate actions.
I got a call in the week between Christmas and New Year from a partner specializing in cybersecurity. They were working with a new client who was dealing with a data breach and a suspected ransomware infection. They were in the assessment phase of the incident but were requesting us to be prepared to assist in remediation of the environment, but here is what they knew – so far.
What happened to the client
- The bad actors had infiltrated by using their current IT vendor’s administrative account – weak passwords.
- The bad actors had been inside the network for a considerable period – how long is still under assessment – but forensics will be limited to due several factors, which I will touch upon further down.
- The current IT vendor had initially diagnosed the issue as a hardware failure, they were wasting time chasing the wrong diagnosis.
- During the initial troubleshooting phases, the IT vendor restarted devices like the firewall, that held key logs that would have helped in the forensics of the breach effectively getting rid of the evidence behind the breach.
- And of course, the worst, the company thought they were paying for an off-site backup, but when it came time to initiate a disaster recovery it was discovered that there was no functioning off-site backup, and all backups on-site had been encrypted (because that’s what the bad actors do.)
What the client was prepared to do about the attack
The initial outage occurred just before Christmas. It is now the beginning of the New Year, and the client still has no access to data, no response from their now ex-IT partner. Keep in mind the client has about 25 to 50 users that can’t do their work because of the attack, costing the company as much as $20,000 a day. The client engaged a law firm to negotiate the ransom with the bad actor. Oxygen, in partnership with the cybersecurity company, started remediation.
- The client engaged a law firm to negotiate the ransom with the bad actor.
- Oxygen, in partnership with the cybersecurity company, started remediation. The first step was to clean the endpoints, and confirm they were not points of exposure.
- The second step was to take snapshots of the existing infrastructure, even if they were encrypted, we needed the servers for possible forensics.
- The final step was to create a sandbox we could spin up the recovered data, and securely get the infrastructure back online. Unfortunately, we did not have timelines on when it would be accessible. It was “hurry up and wait.”
I don’t recommend ever putting yourself in this type of situation. You never want to be down this long and you never want to pay the ransom. I can’t stress this enough make sure you have backups and make sure your environment is secure! If you don’t know, give me a call and we can look into it together.
Needless to say, we’re good at our job and got everything up and running for the client again. We made sure there is an off-site backup of the client’s data. In the event something like this happens again they will only be down for a few days compared to a few weeks, and they won’t have to pay the ransom. We looked at the whole IT eco-system with the cybersecurity firm to make sure the client’s environment is secure.
Push your IT resources, ask them questions like:
- What is our Disaster Recovery plan, where are our backups stored?
- What is our security posture, who provides a third-party audit to confirm it is sufficient?
- What does it cost our organization in hard and soft costs if we can not access our data?
If you have any questions or concerns, just reach out. We’re here to help.
The Team at Oxygen:
204.231.3237 option 1