PROACTIVE PLANNING TO ENSURE BUSINESS CONTINUITY
For the past two years, Roca Inc. has been working with Tech Networks to review and consistently improve Roca’s security as part of an overall infrastructure upgrade. These preventative efforts ended up paying dividends when Roca was hit with a ransomware attack on Easter Sunday 2017. This attack made company files inaccessible, leaving most of their employees unable to work for several hours.
HOW THE ATTACK HAPPENED
The ransomware appears to have been introduced onto Roca’s network by a hacker using a password generator to infiltrate a staff account. One of Roca’s employees then noticed the files on their network drive looked different and could not be opened. Upon further investigation, our engineer confirmed that the files were encrypted and ransom notes had been posted in all file folders. The Business Continuity Plan developed jointly by Roca and Eric Harris, Tech Networks’ IT Director assigned to Roca, had anticipated the risk of such an event, and established a recovery procedure for Roca’s data in the event that the worst should happen.
The recovery procedure incorporated the following preventative measures:
- The file server had been configured to retain previous versions (shadow copies) of files with as much historical retention as possible.
- Local backups were maintained.
- The Endpoint Security solution was kept up to date on client workstations and the File Server.
- A robust password policy was implemented via group policy on the Domain.
- File access Auditing was enabled on the File Server.
Even with these measures in place, the ransomware was sophisticated enough to infect the server.
“As you know, the ransoms that are being demanded in these situations can be large and often need to be paid. Fortunately, Roca was prepared for this because of the work that Eric has been doing with us over the past two years.”
– Scott Blackman, CFO, Roca Inc.
THE REMEDIATION PROCESS
Once the attack was recognized, Tech Networks staff immediately started working to isolate the affected machines to prevent further spread, and recover the infected files in order to get Roca back up and running. The first step was to find the user account that had been used to encrypt the files. Tech Networks then had all employees at Roca shutdown and unplug their workstations to remove them from the network. The most recent backup files were then restored, and checks made to ensure that there were no further signs of encrypted files or ransom notes. The user who had their account compromised had their computer wiped and then restored. With proper backups in place, the recovery process took only a few hours and the organization was back up and running, with no payment to the cybercriminals!
TAKEAWAYS
No organization likes to be the target for cybercriminals, or subjected to ransomware attacks. However, with detailed assessment of the risks, and the creation of preventative measures as part of disaster planning process, organizations can have the confidence that disruption and downtime will be kept to a minimum in the unfortunate event that malicious software is inadvertently introduced into their environment.
Cybercrimes are unavoidable these days, as hackers spend countless hours trying to bypass the latest firewalls, antivirus, and security products. The best defense is to train your users and enable strict password policies. When sending passwords over email, always make sure to use encrypted messages, and change passwords every three months. Ensure operating systems are kept up to date by implementing a structured patching policy for security updates.
The ultimate key to beating ransomware is to prevent, not react.
“Once the issue was identified, there was no panic and we moved forward to resolve the issue as previously planned and communicated to the Roca employees. The system was fully restored within a few hours with little operational disruption. ”