At D2NA, we are committed to the fight against Cyber Crime and cannot emphasise enough the importance of being prepared and staying protected. As an IT Service Provider it is a given that we have had to deal with Ransomware attacks on our customers – the rapid rise in incidences actually inspired us to create Security Essentials, an ongoing security support service for comprehensive protection.
We developed this Case Study of a recent real attack on one of customers in order to emphasise the threat of Ransomware to your business operations, to show you how ransomware typically infiltrates organisations and how it can cause significant damage if measures are not put in place to prevent such attacks.
What was the Ransomware?
In this instance, our customer was hit by Zepto Ransomware. It’s a variation of the infamous Locky Ransomware, a particularly nasty virus where cyber criminals scramble files, renaming so they have the extension “.locky” and then demand a ransom for the necessary decryption keys.
How was it downloaded?
An employee used a business laptop to browse to malicious websites while at home and got infected. He then unintentionally spread the ransomware on the network by connecting his laptop to the corporate network when he was in Head Office.
What immediate effect did it have on the customer’s IT systems?
All the data on the corporate network was encrypted bringing operations to a complete halt.
How did D2NA initially respond?
Upon receiving the call to report the attack, we immediately switched off and disconnected all devices from the network to prevent the infection spreading. We then invoked the “D2NA Major Incident” process which is a set of actions and procedures we take when a customer is experiencing a major issue, an Incident Manager assigned and an engineer was immediately dispatched to site. Once all onsite devices were switched off, a second engineer could remotely start the ‘clean-up’ of all servers, PC’s and Laptops. All corrupt files were then restored from backups.
During the whole recovery process, the Incident Manager sent hourly updates to the business manager, advising on the progress and implications.
How long did it take to get the customer back online and what were the financial implications?
Luckily, our customer was semi-operational via backup laptops within the first hour. However, overall it took 1 full day to complete the scan and data restoration process. Including the cost of only being semi-functional for 24 hours, the customer also incurred the cost of our onsite and remote professional services to restore their data and stop the attack.
What did D2NA do to fix the issue? How did D2NA ensure data was recovered?
At D2NA we keep daily backups of our customer data in two formats:
- Onsite: This backup type is a daily copy of the data which is stored locally
- Offsite: Offsite backups are stored on the Cloud and are also done daily. We use these should any onsite backups be infected by Ransomware. In this case, the onsite data was intact. As the customer’s backups are done on a daily basis, our customer didn’t lose any data and we were able to recover all the data.
Did D2NA provide any recommendations to prevent this happening again?
This attack was the result of a staff member unknowingly infecting the whole business network by navigating to malicious websites. This could have been prevented should the customer have had a robust Web Filtering product such as Webroot installed on all end user devices.
Nowadays it’s absolutely critical to not only implement some form of protection but to also have a Security Disaster Recovery plan in place. At D2NA, we provide both Web and Email filtering and Ransomware Incident Management as part of our Security Essentials monthly support package. We also offer a comprehensive Disaster Recovery service which this customer luckily had in place meaning we were able to successfully prevent any data loss. However, should they have also had our Security Essentials support package, it is highly likely the web filtering would have totally prevented the Ransomware and ultimate disruption. Should the virus had still managed to infiltrate their systems, then our time to assist would have been covered as part of their Security contract meaning no unexpected bills.
If you would like to know more about our Security Services or Ransomware in general, please do not hesitate to contact us.