2017 will undoubtedly go down as the year of the Ransomware Virus. Chief amongst these was the virus known as Cryptolocker. Appearing in several different forms and iterations. Some of Intellect IT’s clients found themselves on the wrong end of their ransom notes.
If you’re unaware of the Cryptolocker virus and its capabilities, here is a a brief summation. This virus is often delivered in the form of an email attachment, that users are coerced to click on. Once the virus gains access to your system, it begins trawling through your shared network files and folders, encrypting everything it finds. There is no way to reverse this encryption, unless you pay a ransom to the virus creators.
And if you are to pay, there is little more than hope you would be provided with an unlock key to get your files back. The internet is filled with stories that illustrate these crooks squeezing ransom payers for more, before handing over decryption keys.
Most of Intellect IT’s clients dodged these viruses altogether. A few limped away with scrapes and bruises. And some learned what it was like to have their business taken out completely. The only way back to normal business operation, is through restoring your data from backups.
Here’s three case studies we’ve collated to highlight how important it is to not only have a backup solution, but to have one that’s current, working, and capable of saving your business should disaster strike.
Small business, with both online e-tailing and offline retailing ability. They consist of approximately 10 staff, three virtualised servers, hosted on a single server using VMWare ESXi. Attached to that host was a SAN, being used as both data storage and physical host of the VMWare files.
Their backup solution consisted of “shadow copies” within the server operating systems, and a nightly tape backup of all production servers. All equipment at this client was aged, much of it close to its “use by” date. That included the tape backup software, the tapes, and the tape drive.
Potential for risk here is high. Not only because of aged equipment, but also because shadow copies cannot truly be considered a backup “solution” in and of itself. At best it’s a stop-gap, and not a manageable one.
Then the business was hit by Cryptolocker. The damage to shared files and folders was extensive. Initial investigations discovered the virus had rendered useless all available shadow copies. The only way to recover this environment would be a bare metal full restore from the previous night’s tape backup.
The tapes themselves, the state of the data on them, and the use of very old server operating systems (such as Microsoft Small Business Server) added several layers of complexity to the restore. It was not immediately successful, and it took many attempts to bring the environment back.
Eventually the business was returned to normal, well over a week later. The cost in IT labour efforts, and the business operating losses during the outage can be measured in the tens of thousands of dollars.
Another small business, professional medical management and certification. The business employs approximately 20 staff, with five virtualised servers, hosted on dual VMWare ESXi hosts set up for failover, and using their own built-in storage. Attached to the hosts is a NAS being used for both archived company data, and local backup data storage.
Their backup solution consisted of “shadow copies” within the server operating systems, a nightly backup to tape of all production servers, and Veeam backup software that captured server states at various times of the day during business hours. All equipment at this client was relatively young, within warranty, fully managed and monitored, with all backup related hardware in good order.
At approximately 10:30am one day, the business was hit by a Cryptolocker attack. Once again, the damage to company data was extensive. Yes, the virus rendered useless all available shadow copies. And this entire environment would also require a full bare metal restoration from previous backups.
But because the attack occurred during business hours, and Veeam had run a full backup at 9am, there was no need to recover from the previous night’s tape backup. Also, given the more current and up-to-date equipment and operating systems used by this business, levels of risk and complexity were low when compared to client 1.
Restoration began at approximately 11am. Around 1pm, users could log back in to their environment and work with shared files and folders again. Around 2pm the entire environment was back to running ‘business as usual’. Initial outage time, 2hrs. Total interrupted time, around 5hrs. The combined labour costs of IT restore efforts, and business operating losses during the outage, less than $5K
Small consultancy business, specialising in legal compliance and data sensitivity. Approximately six staff, two virtualised servers hosted in the Azure cloud, using cloud based file and folder storage.
Their backup solution consisted of “shadow copies” within the server operating systems, a nightly backup of their production servers using Azure snapshot technology, and business hourly “Shadow Protect” image level backups of their shared data folders and files as hosted on their cloud-based servers. Those images are stored on a NAS located at the client’s home-office.
Because this client operates almost exclusively in the cloud, all equipment was current and up to date, within warranty, fully managed and monitored, and all backup related hardware in good order. As was the case for client 2, the levels of risk and complexity for this client were also low.
The business was hit overnight by a Cryptolocker variant. But the damage to files and folders was not as extensive as had been experienced by others. Again, the initial investigations showed that shadow copies had been rendered useless, but the attack was limited to files and folders contained only on one hard-drive. It would not be necessary to recover this environment totally. But it would require the complete restore of one of their main shared-data drives.
Using Shadow Protect, in a few clicks the drive was restored from a previous image backup taken at 6pm the night before. The entire downtime for the business was around 3hrs, with total costs/losses estimated at around $2K.
The Lessons Learned
Whilst it’s true that client 1 had allowed their IT equipment to age, they would not be alone in such thinking. Many small businesses find the initial upfront costs of upgrading their IT well beyond their financial budgets. But in many cases, when disaster strikes, that thinking is often shown as flawed.
All three clients had different environments, with different backup/recovery options available to them. It doesn’t take too many lost business hours to learn that even a $5K investment to improving your IT infrastructures’ ability to stand up to risk and exposure, has the potential to save you much more.
Avoid having all your eggs in one basket and relying on one form of backup software. A good backup solution gives you options. And when it comes to disasters, it’s clearly shown in our case studies that, the more options you have, and the better their quality, the more quickly and painlessly your business will recover from cyber-attacks.
There can be similarities between businesses and their backup needs, but often each solution requires a little tweaking. When it matters, you need to know it’ll work as intended. If you don’t know with 100% certainty that your business can recover in under a day, from something as simple as an email attachment virus, then you need to talk to us now.