
This recent case of ransomware protection and recovery is a great example of the effectiveness of Global Data Vault’s services which are usually a powerful but mostly invisible security blanket, working quietly in the background to safeguard company data. It’s only when things take an unexpected turn for the bad, that the true benefit of professional data protection and DRaaS becomes obvious.
Recently, a Global Data Vault customer (whose name will remain withheld, but we’ll call them ACME) suffered a serious ransomware attack. ACME is a large manufacturing company with over 1,000 employees – and is 100% dependent on its IT systems for production. They called support with five words nobody wants to hear:
“Something weird is going on.”
ACME’s senior IT team called Global Data Vault support, and we quickly realized this might be a ransomware attack. We immediately shut down the Cloud Connect tenant connection to the customer’s site. Even though our response was quick, by that time the malware, which ended up being a self-compiling PowerShell script, had already attacked the cloud backup repository via the on-premises Veeam Console and was also chewing through local file systems and data stores. ACME relied upon GDV to recover their business, which we completed in under 2 hours – much less time than the customer ever expected.
As part of Global Data Vault’s service, we provide an enterprise-class Security Ops Center-as-a-Service in partnership with BitLyft. Knowing the risks posed by a self-compiling PowerShell script, and working with our SOC team, we immediately enabled a whitelist-only feature for EVERY tenant in the cloud repository, meaning any script had to be specifically enabled to be allowed to run. This protected all the data that had not yet been attacked in our repository for ACME. This level of protection is only available from GDV.
GDV uses our own scripts to automate builds of networks and to perform restores, so we had to whitelist those to allow them to work. By this point, we knew that the malware affected two backup jobs’ worth of data from our customer, and on the customer’s side the attack had caused some local storage systems to show up as raw disks, meaning it had destroyed the file system and file tables, so the data there was completely lost.
Using our proprietary Enhanced Data Protection, we recovered non-compromised data from the most recent backup and moved it to their repository and began the Instant VM Recovery process on 110 servers. We booted each server in the proper order for their environment. At the same time, we created secure VPN connections for over 100 user connections and used an external secure communication system to transmit the usernames and passwords.
Once the necessary systems were up and running, we moved them to a production hosting environment in our infrastructure. We then prepared a new physical backup appliance and shipped it to their site to provide data for their on-premises backup – and replacing the lost local data. This eliminated the need to run full backups in order to bring their local protection back to its normal status and saved significant time and effort.
Our team worked into the early hours of the morning to complete the recovery and assist as ACME’s IT staff connected all the appropriate local systems to our cloud infrastructure. As a result, operations resumed as normal and the customer is now fully recovered. They have tightened local systems security to prevent another such attack, and our protection is still in place should anything further happen.
The Global Data Vault support team worked hard and, at the end, was tired but proud of the results they achieved.
More Ransomware and Cybersecurity Articles
The truth about Office 365 backup
Microsoft is not responsible to back up Office 365 For years, Microsoft customers have been able to take advantage of cloud-based offerings for all or parts of the Microsoft Office Suite, Microsoft Exchange, Microsoft SharePoint, and OneDrive. This “Office...
How to Protect Against Ransomware Attacks
It's more important than ever to protect against ransomware. Cybercriminals are having a field day targeting business and government IT infrastructures. You can no longer assume that these criminals only go after weak or poorly secured targets because that is simply...
Hackers Attacking International Suppliers
Cybercrime exploiting vulnerabilities in international supplier's networks There’s a saying, “Make sure everybody in your boat is rowing and not drilling holes when you’re not looking.” It’s a great analogy for some of the more recent high-profile incidents of...
Ransomware: What You Need to Know Now
Get Beyond Malware Attacks The internet is an amazing, useful and often wonderful thing. It’s also a giant mess. For every resource it gives your business that helps you succeed, it also offers a threat. Not-safe-for-work embarrassments aside, there are some...
Thank you for sharing this client story. We at CIEN Consulting also stress the importance of backups to our clients and have mentioned horror stories like this. However, being well prepared and aware of these potential ransomware attacks is almost essential in today’s world.
Keep up the great work!