Real Life Ransomware Protection with Global Data Vault

ransomware protection

This recent case of ransomware protection and recovery is a great example of the effectiveness of Global Data Vault’s services which are usually a powerful but mostly invisible security blanket, working quietly in the background to safeguard company data. It’s only when things take an unexpected turn for the bad, that the true benefit of professional data protection and DRaaS becomes obvious. 

Recently, a Global Data Vault customer (whose name will remain withheld, but we’ll call them ACME) suffered a serious ransomware attack. ACME is a large manufacturing company with over 1,000 employees – and is 100% dependent on its IT systems for production. They called support with five words nobody wants to hear:

“Something weird is going on.”

ACME’s senior IT team called Global Data Vault support, and we quickly realized this might be a ransomware attack. We immediately shut down the Cloud Connect tenant connection to the customer’s site. Even though our response was quick, by that time the malware, which ended up being a self-compiling PowerShell script, had already attacked the cloud backup repository via the on-premises Veeam Console and was also chewing through local file systems and data stores. ACME relied upon GDV to recover their business, which we completed in under 2 hours – much less time than the customer ever expected.

As part of Global Data Vault’s service, we provide an enterprise-class Security Ops Center-as-a-Service in partnership with BitLyft. Knowing the risks posed by a self-compiling PowerShell script, and working with our SOC team, we immediately enabled a whitelist-only feature for EVERY tenant in the cloud repository, meaning any script had to be specifically enabled to be allowed to run. This protected all the data that had not yet been attacked in our repository for ACME. This level of protection is only available from GDV. 

GDV uses our own scripts to automate builds of networks and to perform restores, so we had to whitelist those to allow them to work. By this point, we knew that the malware affected two backup jobs’ worth of data from our customer, and on the customer’s side the attack had caused some local storage systems to show up as raw disks, meaning it had destroyed the file system and file tables, so the data there was completely lost.

Using our proprietary Enhanced Data Protection, we recovered non-compromised data from the most recent backup and moved it to their repository and began the Instant VM Recovery process on 110 servers. We booted each server in the proper order for their environment. At the same time, we created secure VPN connections for over 100 user connections and used an external secure communication system to transmit the usernames and passwords.

Once the necessary systems were up and running, we moved them to a production hosting environment in our infrastructure. We then prepared a new physical backup appliance and shipped it to their site to provide data for their on-premises backup – and replacing the lost local data. This eliminated the need to run full backups in order to bring their local protection back to its normal status and saved significant time and effort.

Our team worked into the early hours of the morning to complete the recovery and assist as ACME’s IT staff connected all the appropriate local systems to our cloud infrastructure. As a result, operations resumed as normal and the customer is now fully recovered. They have tightened local systems security to prevent another such attack, and our protection is still in place should anything further happen.

The Global Data Vault support team worked hard and, at the end, was tired but proud of the results they achieved. 

More Ransomware and Cybersecurity Articles

Five Hacking Techniques That Expose Your Company to Ransomware

Five Hacking Techniques That Expose Your Company to Ransomware

While phishing, spearphishing, and malicious web links are probably among the most common attacks used by hackers to infiltrate an organization, some old-school techniques still exist—and are just as effective as hacking techniques due to the focus on more modern...

Insider Threat Defined

Insider Threat Defined

Businesses face all types of pressure in today’s marketplace. One of the most devastating is a data loss event that can destroy a company within seconds. Malware threats are increasing at a dizzying pace, and all types of insider threats are taking the stage as the...

OFAC Penalties for Ransomware Payments

OFAC Penalties for Ransomware Payments

As if getting hit with ransomware wasn't costly enough, a statement from The United States Department of the Treasury's Office of Foreign Assets Control (OFAC) titled: Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments indicates potential fines...

Types of Insider Threat

Types of Insider Threat

How many types of insider threats are there? One? Three? Six? All of the above is likely correct, although most people would indicate one commonality in their answers: humans. Most would also separate this human threat into three categories: compromised, negligent,...

1 Comment

  1. Steven

    Thank you for sharing this client story. We at CIEN Consulting also stress the importance of backups to our clients and have mentioned horror stories like this. However, being well prepared and aware of these potential ransomware attacks is almost essential in today’s world.

    Keep up the great work!


Submit a Comment

Your email address will not be published. Required fields are marked *