- Apr 26, 2017
- 89
“Our network is secure. We don’t need to worry about ransomware attack remediation.”
“We’re too small.”
“We don’t have the budget for that level of security.”
For many companies, the objections to anti-ransomware software are real — and understandable. But they don’t hold true for a lot of organizations. In fact, one health care company with providers located across the U.S. recently turned to MicroAge when they discovered they weren’t too small or insignificant to be a target.
MicroAge solutions expert Rick Walsh had counseled his long-time client on the need for security precautions, but for various reasons, security remained on the back burner. On a Thursday, the IT manager of the two-person IT department called Rick with a huge problem.
“He said all of his servers and 100 computers were locked,” Rick recalls. “A message on the screen was asking the company to pay 17 bitcoins to the hacker’s account. That’s about $32,000.”
The client needed help immediately, but Rick wasn’t sure if this could be remediated. He called MicroAge Security Practice Manager Jason Lassourreille.
“Ransomware attack remediation requires special expertise and often can’t be fixed,” Jason told him. “This is a case where the best offense is a good defense to prevent attacks.”
When hackers infiltrate companies demanding a ransom in exchange for the encryption key, the ransoms are actually often affordable. (The average ransom demanded is around $700.) And while there is no guarantee you’ll actually get the key, for many companies, it’s the only option.
Ransomware Attack Remediation
Before considering paying the ransom, Rick brought in a MicroAge services provider to help. Starting at 5 p.m. local time, the consultant sought to determine if he could repair the damage of the CryptoLocker attack.
“I found that everything on the network had been encrypted … all of their backups, all of their servers. There was hardly anything left untouched,” he says. “All of their backups were gone. The virus had encrypted everything.”
Ultimately, a serendipitous stroke of luck saved the client. The consultant, a NetApp storage architecture pro, discovered there was only a two-minute gap between the last clean NetApp snapshot and the time the encryption started. Had this snapshot been corrupted, the client’s only alternative would’ve been to “pay and pray.”
It took a few days to get everything back online, but with MicroAge’s help, the company was back up by Monday.
The damage of a ransomware attack is clear, but these attacks do more than lead to dollars out the door due to downtime. There are also regulatory implications, Jason says.
“If your organization is in a regulated industry beholden to compliancy standards such as HIPAA or PCI you must maintain control of your data at all times,” he adds. “For example, if you were hacked, data encrypted, data deleted, or data lost this is considered a breach. You have to report that breach and could be subject to fines or consequences.”
Preventing Future Ransomware Attacks
Next came the work of preventing this type of attack in the future. On Rick’s recommendation, the client deployed Sophos Intercept X, a product designed to stop the malicious encryption process that is indicative of a ransomware attack. Once the attack is stopped, Intercept X Cryptoguard reverts files back to safe versions and alerts IT that a ransomware attack was thwarted to allow IT insight into their vulnerabilities.
The client also brought MicroAge on board to provide security as a service, which includes ongoing intrusion detection, vulnerability scanning and analysis, file integrity monitoring and more.
Related: Read Jason Lassourreille’s blog: 7 Best Practices to Protect Against Ransomware.
Addressing East-West Traffic
When addressing security, Rick recommends that clients also look at VMware NSX to address east-west traffic — an issue that’s receiving more and more attention.
“NSX provides micro-segmentation,” MicroAge Director of Practice Management Perry Peterson explains. “Typical security is enforced at the perimeter. It’s great for north-south traffic, but with the emergence of virtualization east-west traffic (VM to VM communication) makes up more than half of an organization’s network traffic. If hackers get through the initial firewall, they have free reign to jump from application to application. Micro-segmentation makes it feasible to place a logical firewall between every virtual machine, allowing you to enforce security rules at the VM level.”
Putting up this east-west barrier has negligible performance impact, he notes. “And when a breach does occur,” Perry adds, “you have the ability to isolate and quarantine the virtual machine until you can identify and remediate the issue, whether you do that through automation or manual intervention.”
Fortunately for companies that want to keep their data safe and avoid being faced with ransomware attack remediation, there are a number of tools and services to help. The key is knowing where to start.