Ransomware Experiences from the Ekco Team
Thoughts, experiences and advice on Ransomware from Ekco experts. Learn why it's so difficult to recover from an attack and why it pays to be prepared.
Ransomware is one of the biggest threats to businesses and public institutions today. Almost every week, there’s another high-profile attack in the press, with companies effectively grinding to a halt as a result.
There are plenty of hard-hitting articles and stats out there about the scale, prevalence and severity of attacks, but what does it mean to be hit by ransomware? What happens next, and how does your company recover?
To find out more, Ekco’s Content Marketing Manager, Jake Story, caught up with a few of our experts to hear their first-hand experiences.
How does ransomware work?
“It’s different in each incident” Conor Scolard, Technical Director at Ekco Dublin explains. “We hear names like the Conti ransomware that’s being used at the moment. At the start of the year, we had Revil which was equally as dangerous. Attackers use different approaches that have different results but over 80% of ransomware attacks start with an end-user. Companies are being attacked from the end-user perspective. A person is clicking on a mail, which they think is from someone legitimate – from within the organisation, a trusted third party or a customer. From there, the user provides credentials to a page that looks real. The hackers are taking the user credentials and gaining access to corporate networks through legitimate means and effectively bypassing the security in place.”
The type of attack will dictate what happens next. Generally speaking, attackers will move laterally across the network, encrypting servers and data as they go. It can be several days before the company becomes aware an attack has taken place. Backup data is a particular target as, if there is only one copy, it hampers recovery. Some attacks will actively exfiltrate company data, putting the organisation at risk of breaching compliance and GDPR and having their data leaked, which leads to press coverage and reputational damage.
Why is it so difficult to recover from ransomware?
Eoin Harford, Systems Engineer at Ekco, also based in one of our Dublin offices explains “There was one particular case I was involved in earlier this year. Besides an important reporting system, which we did replication for, the customer didn’t have true protection across their estate. They were sort of protected here and there but not completely. It took them over a week to start getting back on their feet after the attack.”
“It took just a few simple steps to get the reporting system failed over onto their DR hardware. The problem was, there was no easy way of getting users to access the system. They had no way to check if their firewalls were good or if their networks were good. Yeah, all that stuff had to come afterwards. So, for a little while, it was a newly built laptop connected directly to a switch, connected to the hardware. One person could get in and do reports so the business could still function somewhat.”
“They couldn’t say ‘well, the networks are locked down so they are definitely secure – bring them back up again’. Nothing. The only thing they could do was take it from the top. ‘Let’s start adding firewall rules, let’s take away permissions. Let’s disable all old accounts. Let’s do all the stuff that we should have been doing the whole time.’”
“That’s, I suppose, what these incidents cause. There’s a huge amount of work afterwards to cover all the security aspects you should have been doing in the first place.”
As a service provider, what does the recovery process look like?
This will depend on the level of protection, prevention and planning a company has in place. Generally speaking, most companies aren’t fully prepared for a ransomware attack, slowing down the recovery as the IT team scrambles to get the right people involved and move forward.
“We’re currently helping a customer recover from a ransomware attack.” Dan Medhurst, Senior Support Engineer based out of Ekco’s London office explains. “It’s been ongoing for months now. They were using us to take a once a night backup of all their systems, but this has highlighted how much easier it would have been for them to recover if they were using something like Zerto. By the time they had discovered an attack had taken place, it was too late, as the backup copies we had were infected.”
“In the past, we’ve identified strange goings-on for customers. If we suddenly see a spike in data transfer then we contact them and say ‘do you know what has caused this?’ because it could be a sign that there has been a ransomware attack, you know, if an entire file server starts to upload itself from scratch.”
“The particular customer I mentioned is up and running on our platform again and they are moving to a more unified approach. They will be able to get seven or 14 days of checkpoints. If they have a good internet line, they will have a checkpoint as often as every seven seconds. If it happened again, we could get them back up and running on our platform seven seconds before they were infected, so long as we can pinpoint when the attack happened.”
How likely are you to get attacked?
Nigel van Houten, Head of NetOps who’s based in our Alkmaar office, told us “Many security experts will tell you that ransomware will happen one day.”
“One of the things that strikes me most is that companies who are hit by ransomware will spend a lot of money, firstly, on recovery. Then, after that, they spend to make sure it won’t happen again.”
“It‘s much cheaper to spend budget on planning, detection and protection rather than deal with the fallout of an attack. If you’re hit without a proper DR plan in place, and without a safe copy of your data, you’ll have to deal with an attack the hard way and spend much more in the long run. You’ll keep your business out of the news too. Save yourself a lot of hassle by making sure you’re ready and operating safely. Even better, let us help you be safe.”
Think of protecting against ransomware as like taking steps to mitigate the risk of fire and theft at home. There’s nothing you can do to guarantee these incidents won’t happen. Instead, you fit an alarm and insure your property.
The best defence is to be prepared. Follow the 3-2-1 approach to backup, ensuring there is an offsite, immutable copy of your data. Have a DR strategy. Have a plan in place detailing the steps you will take in the event of an attack.
Rightly so, ransomware is a hot topic and a key area of concern for IT professionals. Over the coming weeks, we’ll have more on how to prevent and protect against it. If you have any queries or concerns in the meantime, get in touch with our team today.
Our specialists have the answer