On Friday 21st November at 6:15am On IT received a call from one of their largest clients explaining that they had been a victim of a cyber attack. The company which operates across 3 sites had been hit with a ransomware attack asking for $270,000 in order to retrieve their data that was locked behind an encryption wall.
Ransomware attacks are a very common type of cyber attack that is only becoming a larger threat to businesses. Ransomware attacks involve a third party accessing a company's system and locking all the data, the only way to then retrieve this data is to pay the ransomware which will give you a decryption key to re-access your data. On average 75% of small and medium sized businesses that suffer a ransomware attack do not financially recover.
On IT’s client was initially attacked at 1:30am on Friday 21st November, the team who got in that morning were the first to find out around 6am, by which point the majority of the damage was done. On IT received a phone call from their client at 6:15am and had engineers on site within 3 hours. The first thing the engineers on site did was unplug everything, this is crucial during a ransomware attack as these attacks are like spiders and can continue to spread. They did this in order to try and cut the attack off at the edges however as the attack had started at 1:30am it was unfortunately too late.
On IT discovered that the backup solution had been affected by the encryption and so they couldn’t restore the data from this. Their on site engineers began doing remediation and agreed a plan to get at least 1 computer per department online so that the company could continue to operate.
After being able to fully assess the situation On IT were able to come up with a solution for their client, which involved a full re build of their environment. The team worked to build and configure servers before driving to the different sites and installing these servers. On top of this the team had to build a new server infrastructure, create new domains and implement new security policies.
On IT also reached out to third party cyber security specialists who were able to identify the root cause and entry point of the attack. By responding so quickly On IT were able to ensure their client could still do a full days work by getting 1 computer online per department so that they could continue operating and would not suffer a loss this day.
After 4 weeks of continuous work the team at On IT are still working hard to re-build the environment. On IT do regular backups themselves for clients and so their client was able to take some of this data back from them. Due to the client not having a back up solution in place all data that was taken is now gone.
In order to prevent this from happening in the future On IT are working to move more of the companies data to the cloud. They have also implemented a suitable back up solution of an air gap, this is a gap between the environment and the back ups meaning that should one be affected the other won’t be. On top of this they have installed anti ransom software to add a further layer of protection.
Many SME’s believe that they won’t be targeted by a ransomware attack as they don’t believe themselves to be a big enough entity however this is not the case. Ransomware is becoming a much more common attack for medium sized businesses especially those who have increased their brand awareness or gained more publicity recently.
Another piece of advice for businesses is to have cyber protection insurance in place as had On IT’s client not had it they would have been liable for £150,000 worth of remediation costs. It’s important to have this protection in place as ransomware attacks can financially destroy many companies and if it doesn’t the costs to fix could.
A hacker will get into your system should they really want to and so it’s important to have the processes in place to ensure you can recover from an attack. Ensure that you have an air gap between your environment and back ups, do regular back ups and invest in anti ransomware software.
Also published here.