How to Survive a Ransomware Attack

How to Survive a Ransomware Attack | Loffler

Any ransomware attack is an unfortunate and undesirable event. While many organizations experience more dire and painful data recoveries than this local business, valuable lessons can be learned from their ransomware success story.

To survive a ransomware attack, you need more than data backup. You need to invest in planning, defense and insurance as you would any other business resourceYou need to be able to recover that data. 
 
Any and every organization – no matter what size – is a potential ransomware victim. The recently attacked business, Arctic Air, has only 11 full-time employees.
 

Lessons from a Local Ransomware Victim

The attack at Arctic Air most likely occurred when a mobile user was phished while working on the server. This doesn’t make them a bad person or employee; it’s a common pitfall of the way the world works today. Cybercrime and phishing are realities we cannot ignore.
 
The user likely clicked on a link or downloaded an email attachment while on an unsecured connection. This could have been while using public WiFi at a hotel or a coffee shop.
 
 
view the full case study here
 

Ransomware locked access to all files on Arctic Air's server and restricted access to the internet and email. Once the issues were detected, Arctic Air called Loffler to help recover their data from backup. We had them back to work the following day.

The attack wasn't a particularly mature or refined piece of dark code. It appears to have come from a rogue conspirator who created/manipulated it. Luckily, it doesn’t appear to have caused a data breach, only a systems lockup (more on this later).
 
Arctic Air implemented their incident response plan upon detection. This provided a quick emergency response and a ransom was never communicated or needed addressing.
 

Regardless, costs were still associated with the attack:

Lost Labor: Minimal 

Employees were able to work despite their locked files. Once they regained internet access, they used a cloud-based accounting application and email. Productivity slowed, but was not completely interrupted. 

Lost Revenue: None

Arctic Air experienced no lost orders or invoices, despite the ransomware.

Rework: Minimal

They lost a critical warehouse spreadsheet they needed to recreate. To avoid this, the user should have saved the document on the backed-up server, instead of on their desktop.

Recovery Costs: $4,500

Loffler reacted immediately to Arctic Air's situation by implementing their incident response plan and assembling a team of engineers to recover their data. This is a significant cost to a small business, but costs could have been double or triple. Minimized costs were due to:

  • Loffler’s existing knowledge and experience with the company's systems
  • The waiver of emergency support fees due to the above
  • Designation of Loffler as a member of the client’s emergency response team

Company Reputation: Minimal to None

Arctic Air was attacked, but not breached, based upon initial cyber-forensic evidence. A data breach requires formal reporting to government agencies like the FBI. It would also likely land you in Sunday’s business section.

Due to the above, Arctic Air is an example of an upper tier ransomware survival story. They experienced a recoverable event with minimized pain. The story could have been even better. It also could have been much worse. Loffler has also assisted with many of the latter.

What steps should a business take if they are hit with ransomware?

How do you reduce damage and fight to protect your systems? 

Follow Your Incident Response Plan

This assumes you have an incident response plan. If not, create one. 

Upon initial breach awareness:

  1. Contact your IT security response team (form this if you don’t already have one).
  2. Engage your internal IT team and/or your technology solution partner team to address.
  3. Contact legal representation. Have them contact insurance representation about liability and potential compensation. Ransomware fees may be reimbursable, depending upon your organization's cybersecurity insurance plans.
  4. Debrief executive management/ownership on initial findings.

Develop a Recovery Plan

Once you've contacted the people who need to know about the attack, you need to fight it.
  1. Assess the ransom price demanded versus potential recovery charges. Refer to the Arctic Air case study to see how this worked in real life.
  2. Avoid ransomware payment until it's your only option. 
  3. Implement recovery efforts. This is assuming you are prepared with backup and recovery.
  4. If you are not prepared for a ransomware attack, continue reading:

Recommendations to Protect Yourself from a Ransomware Attack:

Have a current and verified backup process. This includes testing your backup on a regular schedule. Tapes, thumb drives, external drives, etc. do not qualify. They contain data but do not allow you to recover. 

Most importantly:

Ensure you can recover your backup. Ransomware survival hinges on recovery. Recovery depends on virtualization and your system's backup and recovery solutions.

  • Assess which technologies are most relevant for recovering company data. Options include on-premise, cloud or hyperconverged.
  • Assess which technologies are most relevant for recovering user data. This may mean forced backup to server, Dropbox or OneDrive, for example.

Contact Loffler for more detailed explanations, suggestions and recommendations.

 I Want to Protect My Business From Ransomware

Read Next: Three Cyberattack Vulnerabilities to Avoid

Keith Carlson

Keith has more than 30 years of experience in IT infrastructure consulting. He started his career about the same time the PC was invented and has worked with clients of all sizes -- from three-employee offices to Fortune 500. Keith is an avid fan of baseball and golf, and he is a passionate outdoorsman.

Related Posts

Moving to the Cloud: Our Advice on Choosing a Cloud Provider
Moving to the Cloud: Our Advice on Choosing a Cloud Provider
Five Common Cyber-Attacks in Images
Five Common Cyber-Attacks in Images
Understanding the True Role of the IT Department
Understanding the True Role of the IT Department
Should You Ditch Your Current Password Policy?
Should You Ditch Your Current Password Policy?