Ransomware incident response: How three companies handled attacks
While the threat of ransomware attacks on enterprise is growing in both scale and sophistication, many less cyber mature organsiations aren’t aware when breaches occur on their networks – and they certainly aren’t always open about them when they happen.
Yet over the next couple of years, the threat from malware attacks is set to growth further, according to security executives polled by ThoughtLab, who predict a rise in attacks from social engineering and ransomware as nation-states and cybercriminals grow more sophisticated.
These attacks will infiltrate networks via misconfigurations in software, human error, poor maintenance and unknown assets.
As we reveal in TechInformed’s deep-dive report into ransomware (published daily this week) the idea of criminals breaching a system and then holding its valable data sets hostage remains a top concern for executives, who then face a tough decision on whether or not to pay the ransom.
Cybersecurity firm Kaspersky found that 56% of businesses had a policy not to pay ransoms in 2021. This is supported by the FBI which has repeatedly warned that paying hackers only emboldens them. Yet even if businesses do pay out, they face potential legal and regulatory issues, plus there is no guarantee that the ransomer will return access or data.
According to Veeam’s Ransomware trends report 2022, one in four (24%) organisations were unable to recover the data even after paying the ransom. Notably, one in five (19%) businesses that didn’t pay the ransom were in fact still able to recover it, and in few cases (5%), no ransom was requested, illustrating the inconsistencies of ransomware attacks.
Whether or not a business decides to pay a ransom depends on its ability to restore its data from backups. Cyber attackers are essentially “selling the ability to retrieve data” – if businesses fails to restore the data, paying a ransom is the most likely option.
TechInformed looks at three business which experienced ransomware and the methods they used to resolve them.
Oceanscan: ransomware recovery
Oceanscan is an international equipment company based in Aberdeen, Scotland, that provides advanced technology to the oil and gas, petrochemical, defence, and nuclear industries. With over 1,000 global customers, the company’s services range from the rental of testing, calibration and survey equipment to providing personnel to the offshore oil and gas markets.
In late September 2021, Sukumar Panchanathan, group IT manager at Oceanscan, received news that a sophisticated strain of ransomware had infected Oceanscan’s entire network, encrypting multiple file layers and putting the company at risk of potential downtime and lost revenue.
“Everyone’s initial thought is, ‘We are doomed.’ If attackers can infect organisations like the Pentagon and the CIA, then what is Oceanscan? Nothing,” Panchanathan said. “When disasters like this happen, it’s the responsibility of the head of IT — my responsibility — to steer us out of it.”
Panchanathan had prepared for a ransomware attack a decade in advance by partnering with a disaster recovery provider; iland. By planning, implementing, and testing an in-depth security strategy that is multi-layered, integrated, and ready, the organisation was able to limit the damage inflicted by the attack.
Using US-based iland’s disaster recovery as a service (DRaaS) and cloud backup system, Oceanscan had the security, replication and failover capabilities it needed to ensure the company’s data stayed online and available.
With the company’s on-premise environment compromised, but its workloads already successfully replicated to the cloud following the attack, Oceanscan decided to move away from its on-premise production environment entirely following the and leverage iland’s cloud-based infrastructure.
The disaster had, in effect, transformed the company’s infrastructure and business model for the better, according to Oceanscan, giving Panchanathan the tools he needed to move away from on-prem altogether and adopt an entirely cloud-based infrastructure.
In the following weeks, Oceanscan transitioned from iland DRaaS to iland IaaS and it has been running “effectively” ever since.
“We don’t have anything on-premises anymore, which means no more capital expenditures in the future,” Panchanathan concluded.
Greystone: recovering lost data
A customer of IT service firm Greystone suffered an email-based ransomware attack. Emails containing malware were received by a member of staff, opened and the user’s computer was subsequently infected.
This resulted in the ransomware encrypting a large number of company files across the network, including files essential to the running of an accounting application. Essentially, the attack left the customer with an infected computer, several critical file shares which became inaccessible, and its accounting system left completely out of action.
Shortly after the users reported issues, the customer contacted Greystone. The firm’s support team tracked and isolated the user which had encrypted the files in question (i.e. the point of entry) and the PC was isolated from the network, its account disabled. The customer file structure was then scanned to pinpoint exactly what files had been encrypted.
Using a recovery process, the compromised files were restored – including the accounting system files. And to mitigate the possibility of future attacks, additional technologies were implemented such as Software Restrictions Policies (SRP) – that stop unauthorised programs from executing on any computer in the network – and File Server Resource Manager (FRSM) filters that detect if files are being encrypted by ransomware, block its access and send IT staff and alert message.
Even though the customer was subject to a “significant” attack, according to Greystone, the damage was reduced through the file permissions in place. All the lost data was recovered and the customer now has additional layers of security in place to prevent the threat of future attacks.
Construction firm compromised
According to technology solutions provider Network Coverage, a construction management company suffered a ransomware attack infecting its backups and internal work stations. The company’s ability to function at capacity was compromised, leaving 30 employees unable to work for 10 days while its data was held to ransom. Network Coverage declined to name the client.
The company’s disaster recovery provider was unable to prevent the attack. The firm also had no back up of its data even though it was falsely under the impression that it had.
The attack led to over $100,000 lost in productivity and business, alongside a $60,000 ransom request in bitcoin to restore its data.
Since all on-site back ups had been compromised and no off-site back ups were in place, the company was forced to pay the ransom. The business then contacted Network Coverage to facilitate the recovery of the business ,and after 24 hours, it was up and running at capacity.
Following the recovery, Network Coverage put security measures in place to bolster its client’s business. It also implemented a secure, automated, reliable backup system to prevent data loss and protect against the impact of future threats.
Subscribe to our Editor's weekly newsletter