This recent case of ransomware protection and recovery is a great example of the effectiveness of Global Data Vault’s services which are usually a powerful but mostly invisible security blanket, working quietly in the background to safeguard company data. It’s only when things take an unexpected turn for the bad, that the true benefit of professional data protection and DRaaS becomes obvious.
Recently, a Global Data Vault customer (whose name will remain withheld, but we’ll call them ACME) suffered a serious ransomware attack. ACME is a large manufacturing company with over 1,000 employees – and is 100% dependent on its IT systems for production. They called support with five words nobody wants to hear:
“Something weird is going on.”
ACME’s senior IT team called Global Data Vault support, and we quickly realized this might be a ransomware attack. We immediately shut down the Cloud Connect tenant connection to the customer’s site. Even though our response was quick, by that time the malware, which ended up being a self-compiling PowerShell script, had already attacked the cloud backup repository via the on-premises Veeam Console and was also chewing through local file systems and data stores. ACME relied upon GDV to recover their business, which we completed in under 2 hours – much less time than the customer ever expected.
As part of Global Data Vault’s service, we provide an enterprise-class Security Ops Center-as-a-Service in partnership with BitLyft. Knowing the risks posed by a self-compiling PowerShell script, and working with our SOC team, we immediately enabled a whitelist-only feature for EVERY tenant in the cloud repository, meaning any script had to be specifically enabled to be allowed to run. This protected all the data that had not yet been attacked in our repository for ACME. This level of protection is only available from GDV.
GDV uses our own scripts to automate builds of networks and to perform restores, so we had to whitelist those to allow them to work. By this point, we knew that the malware affected two backup jobs’ worth of data from our customer, and on the customer’s side the attack had caused some local storage systems to show up as raw disks, meaning it had destroyed the file system and file tables, so the data there was completely lost.
Using our proprietary Enhanced Data Protection, we recovered non-compromised data from the most recent backup and moved it to their repository and began the Instant VM Recovery process on 110 servers. We booted each server in the proper order for their environment. At the same time, we created secure VPN connections for over 100 user connections and used an external secure communication system to transmit the usernames and passwords.
Once the necessary systems were up and running, we moved them to a production hosting environment in our infrastructure. We then prepared a new physical backup appliance and shipped it to their site to provide data for their on-premises backup – and replacing the lost local data. This eliminated the need to run full backups in order to bring their local protection back to its normal status and saved significant time and effort.
Our team worked into the early hours of the morning to complete the recovery and assist as ACME’s IT staff connected all the appropriate local systems to our cloud infrastructure. As a result, operations resumed as normal and the customer is now fully recovered. They have tightened local systems security to prevent another such attack, and our protection is still in place should anything further happen.
The Global Data Vault support team worked hard and, at the end, was tired but proud of the results they achieved.
More Ransomware and Cybersecurity Articles
While phishing, spearphishing, and malicious web links are probably among the most common attacks used by hackers to infiltrate an organization, some old-school techniques still exist—and are just as effective as hacking techniques due to the focus on more modern...
Businesses face all types of pressure in today’s marketplace. One of the most devastating is a data loss event that can destroy a company within seconds. Malware threats are increasing at a dizzying pace, and all types of insider threats are taking the stage as the...
As if getting hit with ransomware wasn't costly enough, a statement from The United States Department of the Treasury's Office of Foreign Assets Control (OFAC) titled: Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments indicates potential fines...
How many types of insider threats are there? One? Three? Six? All of the above is likely correct, although most people would indicate one commonality in their answers: humans. Most would also separate this human threat into three categories: compromised, negligent,...