by Thomas Kinsinger
Director of Technology, E-N Computers
20+ years experience in enterprise IT and managed services.
Imagine having all 150 of your desktop computers shut down across seven locations, your four servers and VPN compromised, your backup disk failing, losing the last 30 days of emails, having your website taken down, and receiving a hacker demand for $500,000 or your employees’ salaries will be posted online.
That’s the panicked call we received from a local farm supplies retailer. This attack could have spelled the end of their business. Instead, this Augusta-area retailer called us at 4 p.m., and we worked all night to get very basic services going at their headquarters before the next morning. We had them up and (mostly) running within a week.
What happened after that phone call can help you avoid the same pain and let you know what we—and you—can do if you’re ever the victim of a cyberattack.
If you’re a Virginia or Washington, D.C.-area business who’s just received the shocking news that you’re the victim of a ransomware attack, we may be able to help.
We hope, though, that you are here because you want to avoid an attack in the first place. In that case, this case study can help you see how an incident response might unfold. We also provide free resources for developing your own incident response plan and a complimentary assessment to uncover your current vulnerabilities.
E-N Computers is a top 5 regional managed IT services provider with nearly 30 years of experience specializing in non-profits, healthcare, manufacuturing, design and other highly regulated industries.
QUICK ANSWER:
How can I recover from a ransomware attack?
Develop an incident response plan (IRP) now that identifies your response team members, their roles, and the process you will follow. If you don’t have one, a qualified IT managed services provider can help you limit the damage, investigate your vulnerabilities, restore your data and systems, and improve your security after the fact.
How the hackers got in
The retailer was using a VPN with a firewall. However, the firewall was out of date and had known vulnerabilities. Hackers were able to access the VPN and steal the IT manager’s credentials. Using these stolen admin credentials, the hackers pushed out a ransomware package to all seven of the retailer’s locations.
The ransomware copied files—particularly financial data—and then encrypted all the computers. The hackers emailed the data to the retailer, demanding $500,000 to prevent the release of salary information.
While the company and the FBI negotiated with the hackers, we worked on getting the retailer back up and running.
How we helped a crippled business recover
After the phone call, we provided a team of five technicians and engineers with boots on the ground within two hours. We worked through the night. With me acting as a virtual chief security officer, we spent the first few hours reviewing what happened and creating a roadmap for our next steps.
It was pretty impressive, actually. We worked all night. Our team members stepped up and were willing to work the overtime. They did a really good job.
By the next morning the organization wasn’t fully operational, but they could at least do some basic operations as a retailer. While we got the business up and running in about a week, it took three months for them to become fully functional again.
It was pretty impressive, actually. We worked all night. Our team members stepped up and were willing to work the overtime. They did a really good job.
We had to factory reset all computers. This was during COVID-19, making it difficult to purchase new equipment. We had to rebuild what they had with limited resources, even scrounging up used firewalls since new ones weren’t available.
Before the attack, the company would back up their files to a disk drive and swap disks throughout the week. The threat actors timed their attack just before a scheduled backup, causing the company to lose those recent backups. Even worse, the most recent disk was malfunctioning and hadn’t been working for months. The recovery point for data was 30 days old, when it should have been at most five days. However, we were at least able to restore that data.
The business had an outdated Exchange server, which we promptly migrated to Microsoft 365. Unfortunately, we couldn’t access local PST files on the encrypted computers, resulting in the loss of 30 days’ worth of email and five days of accounting software entries.
The business never paid the ransom. However, about a year and a half later, the salary information did appear online.
What went wrong to allow a ransomware attack
We had been trying to bring this business on as a managed services client for years (they were previously only a phone and internet client), but the retailer’s upper management didn’t see the value in preventative IT maintenance and monitoring. The assistant general manager mentioned in an interview in an agricultural magazine that it’s normal for less than 1% of gross revenue to be budgeted for technology in the agriculture industry. A survey by Deloitte found the average across all industries to be 3.28 percent, while other studies find 8% to be more realistic.
Not wanting to invest in managed services was a big issue. Because of that, very basic cybersecurity measures were ignored:
- The retailer had no password policy. Users kept the same passwords for years. (It was ugly.)
- The business did not use multi-factor authentication.
- They had no consistent antivirus software. Different computers had different antivirus software.
- Their IT manager was overwhelmed, wearing many other hats. Nobody was really monitoring their systems.
- They didn’t test their backups.
- They didn’t patch or update important equipment like their firewall.
Two things to remember about cyber insurance
Here are two tips about cyber insurance that we learned through this experience. One is that you can let your insurance company know in advance who you would like to work with in the event of a cybersecurity incident. Otherwise, you might be stuck with the tools and providers they offer. The providers might not be able to give you local hands-on assistance or have the previous familiarity with your business that we have.
So if you’re working on your incident response plan, think about who you want to have helping you in the unfortunate event of a security incident.
The second is not to expect cyber insurance to make all of your problems go away. Yes, insurance will help you with a lot of the costs of a cyber attack. But most aren’t going to cover the total cost of your downtime (like paying employees who can’t work because systems are down) nor can they repair your reputation. Don’t get cheap or casual about your cybersecurity just because you have insurance.
In this case, employees of this company had their social security numbers posted online. How do you recover the trust of your employees when you took their privacy lightly? How do you recover the trust of customers when you aren’t protecting their information?
How to avoid a ransomware attack
Our managed services clients follow industry best practices for backup and recovery, network monitoring, access control, and multi-factor authentication. We also help our clients create a recovery plan in advance of a disaster like the one experienced by this retailer.
If you’ve already been the victim of a cyberattack, we can help you recover with our standalone cybersecurity projects. As you’ve seen, we have a tight-knit team that will muster up quickly and work all night if needed to get you going again.
But we’d much rather help you avoid an attack in the first place. Review our cybersecurity incident response guide and our backup and disaster recovery guide to see how ready you are.
Better yet, reserve a complimentary vulnerability assessment with one of our veteran engineers to help you identify and remove vulnerabilities before someone else finds them for you.
How secure are your systems?
Schedule a cybersecurity assessment
In a few hours, get actionable insights on your IT security.
Industries
Locations
Waynesboro, VA
Corporate HQ
215 Fifth St.
Waynesboro, VA 22980
Sales: 540-217-6261
Service: 540-885-3129
Accounting: 540-217-6260
Fax: 703-935-2665
Washington D.C.
1126 11th ST. NW
Suite 603
Washington, DC 20001-4366
Sales: 202-888-2770
Service: 866-692-9082
VA DCJS # 11-6604
Locations
Harrisonburg, VA
45 Newman Ave.
Harrisonburg, VA 22801
Sales: 540-569-3465
Service: 866-692-9082
Richmond, VA
3026A W. Cary St.
Richmond, VA 23221
Sales: 804-729-8835
Service: 866-692-9082