A Ransomware Savings Account – Pay in Advance!
Diet and exercise versus a pill. An ounce of prevention versus a pound of cure. Saving for expenses versus using credit cards.
We all understand that good habits and planning are valuable to achieve our goals. We apply the same principles to Cyber Security…
This is a cautionary tale. We all learn from experience, and when fortunate, we can learn from the experience of others. This story teaches a valuable lesson based on real-world experience, and it will help you avoid a terrible situation.
A medium-sized firm, unfortunately, became the victim of a ransomware attack. An IT employee came into the office early in the morning to discover their ERP server had a white on red full-screen text message (complete with skull and bones ASCII art) stating the contents of the hard drive were encrypted. To recover the contents, they were to transfer one bitcoin to the wallet address on the screen, and to email a Hotmail address notifying them the ransom had been paid in order to retrieve the decryption key.
SecurIT360 Standard Operating Procedures (SOPs) do not recommend paying the ransom under any circumstances. We’ve found that once a company pays the ransom, they are “tagged” for further exploits because the company has been known to pay out. It is safer and better to simply restore from the last known good backup and redo the 12-24 hours of work lost.
Unless the last known good backup is over eight months old.
As a cost-saving measure, this business only purchased a single license for Veritas Backup Exec Server. For the other servers, they used a combination of tarballing, Secure Copy (SCP)/File Transfer Protocol (FTP) or xcopy, and 7zip to archive and transfer critical network files, Microsoft SQL database data, transaction, and log files, and customer detail records to the one server with a backup license.
Business continuity was literally running on a shoestring budget with a fragile, multiple-step process that required each step to complete before the next step would begin. This giant Rube Goldberg machine had a high failure rate. In this case, the Microsoft SQL data and log files hadn’t been transferred from the ERP server to the backup server in eight months. Imagine losing eight months of orders, inventory, fulfillment, and financial reporting. Did we mention that this is a real-world case study?
We discovered that Hotmail address that the hackers provided for payment confirmation had been terminated, and the value of a Bitcoin at that time was nearly $14,000 US. The business owners insisted on paying the ransom even though the likelihood of receiving an encryption key was remote. The felt that they had to try because of the magnitude of the data loss.
Unfortunately, they never received a decryption key.
The company ultimately had to pause operations for two weeks to recreate as much information as possible from employee emails and printed reports. Then, they had to conduct a physical inventory to repopulate their ERP system.
This particular client sadly ended up paying their ransom three times: once in a bitcoin transfer that received no response, once in lost revenue while they recreated their ERP data so they could begin conducting business again, and then once again in new backup server licensing for all of their servers post incident.
How could this have been prevented?
A much less expensive “ransom” could have been paid ahead of time by purchasing five more Veritas Backup Exec Server licenses for $5,000 to cover their remaining servers, properly ensuring business continuity. This would have saved them thousands compared to the cost of the “ransom” paid and the additional 2 weeks of lost productivity while recovering data.
What can you do to not fall into the same trap as this business?
SecurIT360 works with our clients every day to ensure business continuity. Based on our experience, we would like to share 3 critical processes that your business must have in place to avoid this kind of disaster.
- Invest in a backup process for all of your servers and business-critical data.
- Regularly test your backups to make sure that all processes are running properly.
- And while backups are one of the most important things that you can do to protect your business, they shouldn’t be your first line of defense. Schedule regular “black hat” penetration tests to ensure that your network is protected from this kind of event.
Would you like a free assessment of your disaster preparedness and business continuity procedures? Call us today to make sure that the disaster experience you learn from isn’t your own.
SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm. We can work with you to stop cyber attacks in real time. Book a meeting with us today for a complimentary budgeting and strategy session by following this link Appointments.