It started as a normal Thursday for Tony Mendoza, senior director of IT for Spectra Logic, a data storage company based in Boulder, Colorado. And then the ransomware attack started.
“We received some notifications of some system failures and it quickly turned into a series of unrelated system failures, which is really abnormal,” said Mendoza. He realized that the company was under attack – and that its files were being encrypted.
“When it happened, we rushed to our server room and data center and started to remove the plugs so that it couldn’t spread – which brought down our entire infrastructure,” he says.
WATCH: What is cyber insurance? Everything you need to know about what it covers and how it works
In total, three quarters of the production environment has been compromised with ransomware. The hackers left a ransom note demanding the payment of $ 3.6 million in bitcoin in exchange for the decryption key.
“Finding out what it was was quite simple, because they say who they are and where to send the money to. It was NetWalker because it was written on the ransomware letter, ”explains Mendoza.
Another problem: the attack happened in May 2020, when many employees had just started working remotely because of the COVID-19 outbreak, so there was no easy way to communicate what was happening outside the building.
Despite this, the IT team had to assess the damage done and what were the options for getting the data back – if that was possible. There was some hope – the company had backups, which were separate from the rest of the network and protected from the incident.
“We are still under attack, we are still trying to stop the bleeding, we still don’t know the extent of the damage – but we knew we had data to work with,” says Mendoza.
Every organization that is the victim of a ransomware attack ultimately has to face a big question – do they give in to the ransom request to recover their data?
Cyber security companies and law enforcement agencies around the world argue against giving in to extortion around ransomware attacks, because it not only delivers hundreds of thousands or even millions of dollars in bitcoin to criminals, but proves that the attacks work, which encourages ransomware attackers to continue with campaigns.
However, some victims feel they have no choice and will pay the ransom, realizing that it is the quickest and easiest way to get their data back and the network back up and running – although that is not without problems. There are cases where the invaders took the money and fled or took the ransom and simply returned with a second attack.
Spectra Logic had cyber insurance, which could potentially cover the cost of paying the ransom. This may have been the simplest short-term decision to restore the network, but it was quickly decided that, with the backups still available, Spectra Logic would not yield to the ransom request.
So, instead of communicating with cyber criminals, Mendoza contacted the FBI.
“I went from panic to being reassured by them that they had seen this before, we are not alone and they are going to put tools in place to start protecting us. That was the most important thing, getting protected,” he explained.
The FBI also assigned a specialized team to help Spectra Logic deal with the immediate consequences of the attack over the next few days.
Trying to restore the network turned out to be a 24/7 job for the small team over the next week. Most of that time, people slept in the office to have as much time as possible to focus on restoring the network.
“Since Thursday morning, we spent 24 hours every day for the next five days working on it – we slept in shifts. Three of us would work at night, while two people would sleep for a few hours, ”said Mendoza.
“There was no way out and back, it was going to sleep on the couch, in case we needed you. It was five days holding hands on the deck.”
In addition, he needed to provide the board with updates on the current situation. They wanted answers about when the network would be restored and when business would return to normal.
“I’m dealing with leadership in the company and I don’t want to lie to them and say that I know when this is going to end – I had to tell them that I don’t know what’s going on or when the systems will be working,” he says.
It took days of uninterrupted work, but eventually the IT department, with the help of cybersecurity experts, managed to restore some network functionality a week after the ransomware attack, without paying the attackers.
WATCH: A winning strategy for cybersecurity (ZDNet special report) | Download the report in PDF (TechRepublic)
“Our cybersecurity team has provided us with experience and tools, monitoring and registration to eliminate the threat from our system. On Monday morning, they gave us the green light; it’s done, they stopped and removed it ”, remembers Mendoza.
“The FBI told us that we were going the hard way, but the right way – and it ended up being the easiest way when we came back and said we were back eight days later; it was shocking for them, ”he added.
But that doesn’t mean that everything went back to normal immediately – it took more weeks to bring back systems that were not essential to the business, and throughout that time, careful attention was needed just to make sure that the attackers failed in some way. way to spread the ransomware again, which meant constantly monitoring all activity on the network for another month.
Many ransomware attacks have never become public knowledge, and examples of companies that go into detail about what happened are still few.
But Mendoza says it is important to be transparent when dealing with a ransomware attack, because it is important to show that it is possible to recover from an attack without filling the pockets of cyber criminals.
“What we realized was that we were protecting our data and there is a way to prevent ransomware. We couldn’t find public information when we were looking for it, so we wanted to make it a common thing, that it’s okay to talk about being affected by ransomware” , he said.
So, what is the main lesson that Mendoza would say that other organizations need to draw from the experience of Spectra Logic? It’s backing up your systems – and doing it offline – so if the worst happens and the organization goes down, you’ll still have offline backups.
“You have to limit the blast radius of your attack. Back up your data to multiple locations in various media and the key is to place it in an air space. Whether it’s a physical or virtual space, you need to put a wall between an attack and its data, “he said.
And how did the company end up being the victim of a ransomware attack in the first place? Analysis of the incident revealed that a phishing email sent to an employee working at home was how hackers gained their initial access to the network.
After the ransomware attack, Spectra Logic worked to improve its cybersecurity culture, both on-site and for remote employees, in an effort to learn from the incident. The company is now actively looking for potential cyber security threats that may have gone unnoticed before.
“Initially after the attack, when the wounds were fresh, we talked about security. Six months later, we are still concerned about security and are more aware of phishing attacks. We were kind of compliant before, ”he says: now the team will notify you if a phishing email is not detected by the malware system. “There is more awareness now.”