One of our clients discloses all about the cyber-attack his company suffered.
Wishing to remain anonymous to preserve his company's image with his own customers, he tells us his true story, the impact the ransomware had on his business, his mistakes, and how he tried to recover.
A poignant testimony, but also an increasingly common reality for many SMBs, while cyber-criminals are constantly improving their offensives.
How my company data was encrypted by ransomware
As an entrepreneur, I am well aware that my business is nothing without its data. My data is important to me and that's why all our servers are own servers rented and set up in a datacentre near our office, and not in the public cloud. In addition to standard datacentre security, we use an anti-virus, a firewall, and a backup solution.
Everything had been working perfectly and without any real problem for years... Until the day when a ransomware encrypts the majority of our data, and we (me) ask 50,000 euros for a decryption key!!! Worse, the backup files are also affected!!!
I am stunned: how is this possible?
The first cyber attack
It is true that 6 months before, we had a first attack. However, it was quickly picked up by our IT reseller.
What happened? One of our 25 employees clicked by mistake on a phishing email attachment! Fortunately, this person had limited access role on the network and "only" the data on his computer has been encrypted. Our external IT consultant managed to prevent the ransomware from spreading to the rest of the network!
Immediately after this fright, our reseller made an proposal to implement a 3-2-1 backup strategy by automatically storing a copy of our backups in another cloud, in case cybercriminals attack us again. Certainly the 3-2-1 strategy seems adequate, but I didn't have the budget for it at the time, and frankly, what was the probability to be attacked twice?
The 2nd cyber attack: the fatal blow
I was dismayed: we saw, under our own eyes, all the files and programs becoming inaccessible throughout the morning… It had surely started little by little in the night, and by turning on / using the machines, everything went downhill. accelerated… I still tremble with disbelief!
One of the technicians of our system integrator was trying to help us remotely, another was stuck in traffic on his way to our servers in the datacentre, until he finally arrived and took the only decision that could be taken: unplug all the machines, by pulling all the cables off, both in our offices, and in the datacentre.
Silence reigned a few minutes (or was it a few seconds, I cannot tell). No one dared to breathe anymore, not even me!
Then I came back to my senses:
- Me: Let's restore the last backup!
- Technician: It is encrypted...
- Me: How is that?
- Technician: Yes, all backup files are encrypted and unusable...
- Me: Let's take those from the other Cloud then!
- Technician: But you don't have any backups in the Cloud sir!
- Me: Sorry? That 3-2-1 strategy you told me about 6 months ago?
- Technician: You didn't have the budget to pay for offsite storage!
- Me : …
I still have trouble swallowing my saliva thinking about it, and even if I testify before you without giving my name, it is the first time I am to publicly admit: If I had really wanted, I could have allocated some budget to storage space in the Cloud for the 3-2-1 strategy recommended by our reseller.
Certainly, this strategy would not have stopped the attack, but it could have recovered our data from the day before the attack!
Today I regret to have dismissed such cost which I considered too important. This cost seems tiny compared to the 50000 euros requested by the cybercriminals!
Today I regret not having wanted to understand this expense was essential for our consultant to store our own backups outside our network, and he was not going to cover the costs himself, which makes sense as he has his own business to run too!
Yes, I am angry, I am angry at myself, because it took me years to build and grow my business, and it only took a few minutes for some hackers to kidnap my data!
Damages caused by the ransomware attack in my company
Beyond the files, data and encrypted servers, beyond the new investment I would have to do in IT security, the real damage cannot be quantified: it is stress, rage, despair and all the wasted time!
What was spared by the intrusion?
- Luckily our reseller had collected a copy of Actiphy full backup after the first cyber-attack, to be copied in the Cloud for 3-2-1 strategy proposal.
- Cloud-based programs and applications we are using:
- Web server
- Invoicing system with history of all invoices, bought products, open quotes
- Marketing subscription lists (to communicate with existing and potential clients via our newsletters)
- 50% of our marketing and sales communications and brochures - employees had a local copy on their Macs.
What the hackers encrypted
- Our Microsoft Exchange Server including the loss of ALL email history and all emails received and sent during the attack.
- All data from our virtual servers, including:
- CRM server with telephone numbers and conversation history with our customers and suppliers.
- Files and folders stored since the beginning of the company.
- All backups that were stored on an NAS on that network.
What actions were taken during the ransomware attack?
Because I was not sure hackers wouldn’t encrypt our data 3rd time, nor we knew if they left any dormant ransomware on the network and even less if the decryption key would work, I have decided not to pay the demanded ransom.
I understood the scale of the disaster, and the impossibility of recovering all the damaged data, but I am a man of principle and I refuse to bow to web terrorists. I don't want them to get rich with my money!
Despite sleepless nights and weighing the pros and cons, I preferred to invest in rebuilding my company's IT security, this time listening carefully to all the information and advice from my IT system integrator, taking the time to understand what exactly each solution was, each investment requested. (I would like to thank our IT partner for their patience and hard work.)
- The only solution to stop the attack was to unplug everything!
- 24 hours: our reseller has configured a new mail server, online this time, with Microsoft Exchange Online, and Office 365 for each of our employees. We can at least receive and respond to emails from our existing and potential customers, even if we have no history.
- 36 hours: modifications of logins and passwords of all PCs and solutions / tools.
- 48 hours: the VoIP telephone system is reconfigured.
- Restore of Actiphy full backup our reseller had taken with him after the first cyberattack.
- Merge this restored backup file with information saved in the different cloud platforms we had. Granted, this only allowed us to update a small part of the database, but it was better than nothing.
- Unsuccessful attempt for months to restore a newer backup file, but the encryption was impossible to break through, even using external tools and companies.
What actions were taken after the ransomware attack: we are always smarter afterwards!
Even today, a year later, some important data is still missing, including the history of emails and telephone conversations. We can work without, but it would be much better to have them.
I understand hackers are always one step ahead, so we have focused on:
- Externalising all our IT infrastructure to the Cloud.
- 3-2-1 backup strategy with automated monitoring managed by our Partner.
- Cloud email archiving, to be able to access emails at any time, any circumstances.
- Cloud email security solution to stop ransomware before they even enter my network. It is such a relief not to receive spam anymore!
I am currently confident these changes are for the best and have prepared us not to be attacked a 3rd time, and / or to be ready to recover fast should a 3rd cyberattack happens.
System Integrator's point of view on his client's ransomware attack
Unfortunately, we often hear “it's too expensive", and get requested to implement free solutions here and cheap solutions there.
Cybercriminals know SMBs have limited budget for IT security, and they take advantage of it, by encrypting their data and asking for a ransom. Once data is encrypted, we cannot make miracle. It is often when clients realise we cannot make these miracles that they truly measure the value of their data.
How Resellers / MSPs can prepare clients against ransomware attacks?
We believe it is very important for IT Consultancies and end users to work on 3 aspects of IT Security:
1. Stop ransomware before it even enters the network
The client’s ransomware entered the network through the Exchange Server.
That’s why we have:
- Rebuild the system in the Cloud with Office 365 (now Microsoft 365) with Exchange Online.
We recommend Cloud solutions: it is easier to manage, it is cheaper, and customers can deduct them for tax purposes.
- Added email protection service, to eliminate all malicious emails in the cloud before they enter our Microsoft mail servers, filtering emails, attachments and URLs several times.
It is very cost-effective, and it works with all Cloud and on-premises email servers, it is easy to set up, and its price is ridiculous low compared to ransoms demanded by hackers.
- Changed all passwords using the free personalised password cards. We have added our own logo and distribute it for free to all clients for all software, applications, onsite and remote workers.
2. Be ready in case an attack manages to go through
We all know cybercriminals are one steps ahead on anybody; their aggressions are always smarter, and millions of companies keep being hacked. So, let’s be ready for such eventuality with:
- A complete Backup Strategy / Concept with:
- 3-2-1 backup strategy:
automated backups sent regularly offsite the network. Actiphy includes free unlimited replications, including to the Cloud.
install and forget is not a good idea in terms of backup and IT security. We strongly recommend monthly or weekly monitoring services, services that are eased since Actiphy has APS, their Web Monitoring Console.
- Backup testing
with automated backup tests and manual tests of the last onsite and offsite incrementals each month (offered as a Service)
- 3-2-1 backup strategy:
- Email archiving: Yes, it is a GDPR legal requirement, but we prefer its real benefit with its very powerful search tool, and it DOES limit damage caused to email servers by ransomware attacks.
Should our client had Cloud email archiving, we could have restored all emails even with encrypted backup files. He could have been productive again in a few days after the cyberattack instead of weeks!
3. Be transparent
Be frank with your clients regarding the status of their IT security. Don’t be scared to offend certain egos, data is more important!
Be also patient to explain and explain again and share experiences of other SMBs such as the story of our client: “It doesn’t always happen to others; it can happen to you!”