Ransomware Recovery

& Our Case Study

Purpose

This is a study on the impact of a real world ransomware attack, the work required to recover from the attack and what could have been done to prevent it all in the first place.

We were called in to help recover systems after a complete disaster and a lack of confidence that their I.T. support could successfully resolve the situation.

Malware and Ransomware is a massive risk to all businesses and this can happen to anyone with poorly setup I.T. systems.

Summary

The Client contacted us after the ransomware attack had already taken place. We managed their other interests in Australia, but the affected business was located in Europe.  The client had lost faith in their in-house IT personnel as a result of the attack and wanted us to supervise the recovery process.

 

After scoping the issue remotely, we were asked to fly out on-site to get them back up and running, to see what could be recovered and protect them from suffering any future ransomware attack.

 

Once your systems have been compromised they can no longer be trusted, so everything would need to be wiped.  Until our work was finished, we knew the Client would be unable to operate their business as usual.  To add to the complexity, we were also unfamiliar with the Clients’ line of business software and vendor liaison would be a major factor in restoring normal operations.

 

The Clients’ largest saving grace was  successfully negotiating for the release of critical data from the ransomware attackers, as all their backups had been encrypted.

Impact

In total, they had roughly 8 servers encrypted. Most of the important data was recovered, but not from backups as the attackers encrypted them too. Data was instead recovered through negotiation and paying the ransomware attackers to decrypt the data. Though we are unable to share exact figures, the ransoms paid exceeded $100’000 and this was only a fraction of the total demanded. A third party negotiated the decryption of business critical financial data first as proof and with that data in hand, negotations were terminated.

 

In all, the Client also experienced three weeks of downtime. The first week was simply spent planning with the ransomware negotiators, booking resources, contacting software vendors and getting an accurate picture of the situation.

 

The second week entailed wiping every server, workstation and connected device. Once a network is compromised, it is common for the attackers to leave a backdoor so that they can repeat the entire process again in 12 months time. 

 

The third week was spent ensuring everything was back up and running, troubleshooting the teething issues that come with such a massive change in systems. We also needed to manage the handover process of Inhouse IT to our Managed IT service.

 

COST

We estimated that the cost of the attack exceeded $750’000 once ransoms, vendor labour charges, our labour charges, lost productivity and lost contracts were taken in to account. We were not able to value the ongoing damages to the business in lost consumer confidence and the re-creation of lost intellectual property.

Lessons

PREVENTION

The ransomware attack on the Client could have been easily avoided. We discovered that there was remote access to critical systems open to the internet, protected only with a username and basic password. They should have limited access to their servers and enforced a Multi-Factor Authentication policy.

 

Backups would have saved the Client also, however, the same credentials to access their systems, granted access to their backups. It is common for ransomware attackers to search for backups and encrypt them to prevent recovery, which is exactly what happened here.

 

Likewise, the rule of 3 should have been applied (3 copies of your data). One copy should be your live data, a second copy should be your local backups and your third copy should be your offsite backups. With no offsite backups, there was no chance for recovery.

 

COMMUNICATION

It’s also difficult to say in these situations where we come in after the fact, but there was evidence to suggest that their IT department was unable to properly communicate the importance of spending appropriate amounts on disaster recovery. While we were told that improvements to their backups were proposed and rejected by management, we also know that if a proper cost-risk-benefit analysis doesn’t come with such a proposal, it nearly always fails.

 

TRUST

In this ransom event, there was one repeating theme beyond the failure of proper network security and disaster prevention, and that was trust. Management did not trust their IT department and the IT department did not trust Management. Since this event, and their transition to our service, the trust issue has been resolved, hopefully permanently. Some of our clients have been happy with our service for more than 20 years.

 

We continue to this day, to work with them to review and secure their systems, improve their workflow, and advise them on all IT matters, despite being half a world apart.