This recent case of ransomware protection and recovery is a great example of the effectiveness of Global Data Vault’s services which are usually a powerful but mostly invisible security blanket, working quietly in the background to safeguard company data. It’s only when things take an unexpected turn for the bad, that the true benefit of professional data protection and DRaaS becomes obvious.
Recently, a Global Data Vault customer (whose name will remain withheld, but we’ll call them ACME) suffered a serious ransomware attack. ACME is a large manufacturing company with over 1,000 employees – and is 100% dependent on its IT systems for production. They called support with five words nobody wants to hear:
“Something weird is going on.”
ACME’s senior IT team called Global Data Vault support, and we quickly realized this might be a ransomware attack. We immediately shut down the Cloud Connect tenant connection to the customer’s site. Even though our response was quick, by that time the malware, which ended up being a self-compiling PowerShell script, had already attacked the cloud backup repository via the on-premises Veeam Console and was also chewing through local file systems and data stores. ACME relied upon GDV to recover their business, which we completed in under 2 hours – much less time than the customer ever expected.
As part of Global Data Vault’s service, we provide an enterprise-class Security Ops Center-as-a-Service in partnership with BitLyft. Knowing the risks posed by a self-compiling PowerShell script, and working with our SOC team, we immediately enabled a whitelist-only feature for EVERY tenant in the cloud repository, meaning any script had to be specifically enabled to be allowed to run. This protected all the data that had not yet been attacked in our repository for ACME. This level of protection is only available from GDV.
GDV uses our own scripts to automate builds of networks and to perform restores, so we had to whitelist those to allow them to work. By this point, we knew that the malware affected two backup jobs’ worth of data from our customer, and on the customer’s side the attack had caused some local storage systems to show up as raw disks, meaning it had destroyed the file system and file tables, so the data there was completely lost.
Using our proprietary Enhanced Data Protection, we recovered non-compromised data from the most recent backup and moved it to their repository and began the Instant VM Recovery process on 110 servers. We booted each server in the proper order for their environment. At the same time, we created secure VPN connections for over 100 user connections and used an external secure communication system to transmit the usernames and passwords.
Once the necessary systems were up and running, we moved them to a production hosting environment in our infrastructure. We then prepared a new physical backup appliance and shipped it to their site to provide data for their on-premises backup – and replacing the lost local data. This eliminated the need to run full backups in order to bring their local protection back to its normal status and saved significant time and effort.
Our team worked into the early hours of the morning to complete the recovery and assist as ACME’s IT staff connected all the appropriate local systems to our cloud infrastructure. As a result, operations resumed as normal and the customer is now fully recovered. They have tightened local systems security to prevent another such attack, and our protection is still in place should anything further happen.
The Global Data Vault support team worked hard and, at the end, was tired but proud of the results they achieved.
More Ransomware and Cybersecurity Articles
How to Plan and Execute a Data Protection Audit
Embrace the Audit The word “audit” strikes fear in the hearts of most business owners, but a pre-emptive data protection audit should actually be embraced. Taking stock of your data and the many scenarios which could impact its continuity is vital to the livelihood of...
Loss of power during Hurricane Isaac
As Hurricane Isaac continues its slow march inland, the city of New Orleans is largely without power this afternoon. This image shows the widespread power outages in the city. It’s seems eerie that today is the seventh anniversary, if you should call it that, of...
The Difference Between Public Cloud and Private Cloud Services
There’s a lot of discussion about the “cloud” and what that means in regards to your data storage. We’ve even overheard conversations among business professionals stating that data storage in the “cloud” is not safe, but other solutions where the data is still being...
Hacking Threat and Data Protection
If you’re thinking, “No one would want my company information, we’re never going to be a target of a hacker,” you’ll need to get your head examined and prepare for the worst. Hackers are attacking everyone from the little mommy bloggers to the US Government’s top...
Thank you for sharing this client story. We at CIEN Consulting also stress the importance of backups to our clients and have mentioned horror stories like this. However, being well prepared and aware of these potential ransomware attacks is almost essential in today’s world.
Keep up the great work!