How Ransomware Works
Ransomware commonly originates when someone clicks to download an infected email attachment or link from an unknown source. This malware encrypts files and makes them unusable throughout the network. To recover the files, a sum of money is typically demanded by the hacker. An attack like the one at Arctic Air would likely be ransomed for $20,000 to $30,000, payable in bitcoins. Arctic Air, however, did not need to pay the ransom because they were prepared with restorable file backups.
Although the decision of whether or not to pay the ransom is a business decision ultimately left up to the affected business, Loffler follows the instructions of police agencies like the FBI, which recommend organizations never pay the ransom.
“Sometimes they pay and never get files back,” Stone said, “or the hacker can come back and ask for more.”
With ransomware comes a risk of data breach, but not always. Generally, ransomware encrypts data, demands money to have that data unlocked and a data breach is not an issue. In the case of Arctic Air, data was encrypted locally on their server, and no evidence of a data breach was discovered.
Lessons Learned
In the end, the damage done to Arctic Air that day was minimal. They had much to celebrate, as they were well-prepared with data backups. The event resulted in some valuable lessons all businesses can benefit from when it comes to ransomware:
Back Up Data and Make Sure You Can Restore It
“Our general advice for any ransomware attack is to be prepared with good backups,” Stone said. Because Arctic Air was prepared, they were able to unlock their files without engaging the hacker or paying the ransom. Many other organizations are not so prepared.
End-User Education
Because ransomware is most likely to result from an end user clicking a link or downloading an email they should not, it is best to be proactive about educating all employees on best practices and how to avoid phishing scams.
Know Who to Call
Companies without a trusted IT partnership may handle ransomware attacks blindly. They don’t know what to do, who to call or how to mitigate risks. Because Arctic Air is a valued Loffler client, Loffler IT engineers knew their system well and could help them immediately.
Do Not Save Files to the Desktop
While Loffler engineers were able to restore some desktop files, others, like a shipping schedule for the warehouse, needed to be rebuilt. A policy to always save files on a server, where they are backed up, is highly recommended.
Looking to the Future
Arctic Air will use this ransomware attack to further their data backup abilities. Their new solution will mean faster file restoration and backup of desktop files. If they are hit with ransomware again, their downtime and restoration costs will be cut in half. The average time to restore each workstation was two hours. With the new solution, that time will be reduced to 15-20 minutes per work station, or 1/6 the time. When paying per hour, that results in a significant decrease in cost to recover from ransomware.
“This event reinforced our need to do what we should have done six months ago,” Leukuma said.
Ransomware can happen anywhere and have far worse consequences than what Arctic Air saw. Their data was backed up and able to be recovered, with no evidence of data having actually been stolen or otherwise compromised. At the end of the day, they lost some data that had been saved to employees’ desktops and not backed up, but everything that was stored on the server was able to be restored.
“It was painful for the day, but nothing that would put us out of business,” Leukuma said.
See More Case Studies in our Learning Center
