News

How a British SMB survived a nightmarish cryptolocker ransom attack

When a small business client of managed services provider Ignite had all its files hit by a massive cryptolocker infection, things could have gone a lot worse.

By Tamlin Magee May 22nd 2018

When a small business client of managed services provider Ignite had all its files hit by a massive cryptolocker infection, things could have gone a lot worse.

Thanks to Ignite’s expertise and its partnership with Quest, the SME was able to get back up and running within hours and with minimal user disruption.

Group operations director at Ignite, Andy Portlock, told Computerworld UK that the unnamed client had the latest firewall, email filtering, data recovery and business continuity solutions in place. But as with many infections the problem was user error.

One Friday evening an employee managed to download cryptolocker via an email attachment, and very quickly the entire network was infected, holding the firm's data for ransom. The firm is typically open seven days a week and only really shuts for Chritsmas and Boxing Day, so the financial and reputational damage could have been severe.

“The business impact for those guys is they’re probably taking 100 orders per day – it would have caused massive disruption for them as a business to not be online and not transact as a business,” says Portlock. “We put an on-premise server on site, and using [Quest] Rapid Recovery we backed up locally to that on-prem server. Nine out of 10 times that’s sufficient.

“But when we found that the network is infected, the network is down, we despatched an engineer to site, to rebuild, spin up the local repository and get the client back up and running for Saturday morning trading.”

But the cryptolocker infection had also managed to creep into the local repository. So the client’s live system was infected and so was its on-prem backup.

That means that if the only strategy was to back up on-prem, the client would have either lost all their data, or have had to start a lengthy and possibly unsuccessful recovery process. Or – pay the ransom.

“For us in that scenario, we replicate the data multiple times off site to our data centre, and to a Microsoft Azure data centre, so we were able to spin up virtual servers in our data centre that were not infected, that we had clean copies for,” Portlock says. “We were able to push back to a recovery point of an hour, so there was only an hour’s worth of lost business in transactional terms. That was three transactions that we could quickly trace.”

“We span up the servers virtually in the data centre and then were able to point a number of machines using VPNs back into that data centre – so the client was operational for the Saturday morning trade, which then allowed us leeway to deal with the on-prem and the cleanup, and all the other fallout from that crypto issue.”

So despite narrowly averting disaster, the difference was barely palpable for the end users: the client was able to continue working just like they would have if they hadn’t been attacked in the first place.

For Portlock, the scenario underscores just how important it is to have a business continuity solution in place, along with a proper preparedness plan in case of attack.

“First and foremost you need to secure the network parameter, you need to put the stops in place,” Portlock says. “It’s very real now for a client that there needs to be a solution, and for me it’s the recovery point and the recovery objective that is key to any business.

“They may have a tape backup drive – but the realisation is they’ve never tested it, it’s unencrypted, and it’s sat in a briefcase for days or weeks and they’ve got no idea of the integrity of that data, let alone when you start to say: what happens if you need to recover that data? How long does it take and how much have you lost?

“If you’re doing nightly backups you’re luck if you lost a day’s work.”

Luckily for Ignite’s client, they only lost an hour.