Real Life Ransomware Protection with Global Data Vault

For most clients, Global Data Vault’s services are a powerful but mostly invisible security blanket, working quietly in the background to safeguard company data. It’s only when things take an unexpected turn for the bad, that the true benefit of professional data protection and DRaaS becomes obvious. This recent case of ransomware protection and recovery is a great example.

Recently, a Global Data Vault customer (whose name will remain withheld, but we’ll call them ACME) suffered a serious ransomware attack. ACME is a large manufacturing company with over 1,000 employees – and is 100% dependent on its IT systems for production. They called support with five words nobody wants to hear:

“Something weird is going on.”

ACME’s senior IT team called Global Data Vault support, and we quickly realized this might be a ransomware attack. We immediately shut down the Cloud Connect tenant connection to the customer’s site. Even though our response was quick, by that time the malware, which ended up being a self-compiling PowerShell script, had already attacked the cloud backup repository via the on-premises Veeam Console and was also chewing through local file systems and data stores. ACME relied upon GDV to recover their business, which we completed in under 2 hours – much less time than the customer ever expected.

As part of Global Data Vault’s service, we provide an enterprise-class Security Ops Center-as-a-Service in partnership with BitLyft. Knowing the risks posed by a self-compiling PowerShell script, and working with our SOC team, we immediately enabled a whitelist-only feature for EVERY tenant in the cloud repository, meaning any script had to be specifically enabled to be allowed to run. This protected all the data that had not yet been attacked in our repository for ACME. This level of protection is only available from GDV. 

GDV uses our own scripts to automate builds of networks and to perform restores, so we had to whitelist those to allow them to work. By this point, we knew that the malware affected two backup jobs’ worth of data from our customer, and on the customer’s side the attack had caused some local storage systems to show up as raw disks, meaning it had destroyed the file system and file tables, so the data there was completely lost.

Using our proprietary Enhanced Data Protection, we recovered non-compromised data from the most recent backup and moved it to their repository and began the Instant VM Recovery process on 110 servers. We booted each server in the proper order for their environment. At the same time, we created secure VPN connections for over 100 user connections and used an external secure communication system to transmit the usernames and passwords.

Once the necessary systems were up and running, we moved them to a production hosting environment in our infrastructure. We then prepared a new physical backup appliance and shipped it to their site to provide data for their on-premises backup – and replacing the lost local data. This eliminated the need to run full backups in order to bring their local protection back to its normal status and saved significant time and effort.

Our team worked into the early hours of the morning to complete the recovery and assist as ACME’s IT staff connected all the appropriate local systems to our cloud infrastructure. As a result, operations resumed as normal and the customer is now fully recovered. They have tightened local systems security to prevent another such attack, and our protection is still in place should anything further happen.

The Global Data Vault support team worked hard and, at the end, was tired but proud of the results they achieved.