The True Cost of Ransomware Attacks on your Business
R & G Group of Consultants (Pty) Ltd
What would you do if your business was held hostage by malicious ransomware blocking access to your company’s entire computer system, effectively bringing your company to a standstill and cutting you off from your customers?
A Moment of Crisis
In April 2017, this was the scenario faced by R & G Group of Consultants (Pty) Ltd, a large Quantity Surveying and Project Management firm with branches in Johannesburg, East London, Umtata, Durban, Pietermaritzburg, and Richards Bay.
However, this was not an isolated event targeting R&G Consultants. Ransomware attacks globally doubled in 2016 and more recently South Africa has had the spotlight turned on it with an increasing number of companies becoming a target of ransomware attacks.
Following its name, ransomware attacks demand that large payments be made in order for victims to regain access to their data and continue to operate their systems. Payments are usually demanded in bitcoin so they can’t be traced and companies who do show intention to pay the ransom sometimes find that the ransom amount is subsequently increased.
…the Petya authors offer the private encryption key used in the attack in exchange for 100 bitcoin, the equivalent of over $250,000 at current rates…
A Ukrainian company sent out a compromised update to its tax software that contained malware according to Cisco Talos. After that, major companies around the world had to shut down their computer systems.
Geek Patrol has been R&G Consultants’ technical support services company for over 9 years, and we regularly attend to their specific tech/infrastructure issues. Prior to this attack, the company benefitted from an on-premises Microsoft Exchange server which housed all their email and project-related data.
As consulting professionals, R&G team members often work remotely moving between construction sites and the office, and therefore require easy online access to design data – all of which were also saved on their local server.
Unaware of impending catastrophe, some of the R&G team noticed unusual files appearing on the server but thought it to be a mere technical glitch.
About a day later, staff started experiencing data access problems between certain computers, and devices. Recognising some of these signs, Kemlyn Pillay of our Geek Patrol team immediately investigated.
These unusual files were found to be ransomware which quickly infected files on the company’s server. The affected server not only contained all their client’s design and development project information, it also housed the company’s Exchange mail server.
“Once infected, you’re up against the programme’s ability to spread as fast as it can” – Kemlyn
“You have to get everyone off the network and start finding and minimizing damage as quickly as possible,” explains Kemlyn. “In worst case scenarios, companies have had to wipe clean their servers and computers and reinstall all their software from scratch; it has the potential to shut a business down.”
A few days later, due to the extensive corruption and damage of data the server at R&G Consultants crashed. entire company system supporting 45 users nationwide came to a standstill on 13 April 2017, the start of South Africa’s Easter long weekend – a blessing in disguise.
An inclusive solution
R&G Consultants’ Group Executive Director and CEO’s Office Manager Prenola Thevan, who is tasked with IT management across all their national offices says, “Every day lost made a financial impact on the company. We didn’t know what was happening and we didn’t know how to fix it.”
Understanding the severity of the situation and using the national holiday to their advantage, Geek Patrol worked night and day to restore the crashed server and corrupted boot sequences which had created a snowball effect on data, as well as setting about repairing damaged hardware.
Kemlyn explains, “Under extreme circumstances we managed to re-engineer R&G Consultants’ network architecture in a matter of just four days. This crisis served to reveal just how vulnerable their computer systems were and how easily they could have lost all project collateral and client data. The ransomware even corrupted their backup information – it was severe and enormously damaging and we were extremely fortunate we were able to restore the backup.”
“To get the server up and running, our plan was to rebuild the server, collect and recover the data, and restructure the redundant array of independent disks (RAID) for data storage,” says Kemlyn. “But our job with R&G wasn’t over until we devised and implemented a solution to ensure future performance and security improvements.”
Future-proofing a business
A combination of R&G Consultants’ infrastructure requirements and the crippling effect of this crash opened the firm’s eyes to the benefits of cloud computing and infrastructure. The stability, availability and cost effectiveness of the cloud were key factors in their decision to implement an immediate cloud migration.
The on-prem mail system was migrated to Exchange Online, which entailed remotely accessing all users’ machines, backing up emails, then setting up the new email accounts and migrating the email back in.
Not only did the Office 365 Business Premium package address all the critical requirements for R&G, it also allowed room for future growth and scale.
In terms of repair and prevention, R&G Consultants had now covered every point of possible future attack and systems failure. The mails were hosted and supported with Office 365, where each user utilized OneDrive as a local repository of data and each national office was listed on a more advanced collaborative system with all user machines connected and updatable from any device via Microsoft SharePoint with all data was migrated to the cloud. Now, by simply adding an internet name, each individual user has access to their appropriate data authority in the cloud, giving them complete IT accessibility, mobility, organization, collaboration, permissions and storage along strict protocols of security efficiency.
Key innovations and lessons learnt
Prenola shares, “From a company perspective, we were fortunate that this happened just before the Easter break so we had time to resolve the issue before the start of business the following Tuesday. Geek Patrol went above and beyond the call of duty to empower us. For their team to sacrifice their holiday plans, in our opinion, displayed their dedication and commitment to resolving our issue. It was an extremely stressful situation that required a lot of co-ordination and patience across our national footprint and the Geek Patrol team handled that effortlessly.
“What’s wonderful about having Geek Patrol as our IT team is that they are so attentive and so patient with us as their client. They are constantly communicating with us so we know, at all times, what is happening on the ground. I also like the fact that they take time to further educate you so you know what to expect should you be faced with a similar problem in the future.
“We are extremely grateful that Geek Patrol reduced our downtime from possibly a couple of weeks to just two days.
As a company, R&G Consultants consider ourselves fortunate to have Geek Patrol as part of our team.” – Prenola
“In the end, the crisis was resolved in record time and an effective recovery plan was put in place. We are extremely grateful that Geek Patrol reduced our downtime from possibly a couple of weeks to just two days. As a company, R&G Consultants consider ourselves fortunate to have Geek Patrol as part of our team.
“For other companies who have inadequate or no protection against this kind of malware attack because of the perceived costs attached they might want to consider the cost of potentially losing both data and weeks of operational downtime,” advises Prenola.
Geek Patrol confirms that there is a shift towards more companies hosting data in the cloud because of the increasing threat of sophisticated attacks. When in the cloud, data protection is managed by a team of specialists who ensure servers have the latest updates, are backed up off-site, have the ability to failover between multiple servers and sites, have sophisticated firewalls to prevent security breaches and are constantly monitored for any unusual activity.
Kemlyn says, “South African companies can prepare themselves for dealing with the rising dangers of malware and should at least educate themselves of the consequences if they don’t. We advise all businesses to keep their computers current with the latest patches and software updates, to ensure there is an effective data backup system as well as a recovery plan in place. It is a specialized skills set and we are here to help them put their best foot forward.”
What can you do to prevent ransomware?
Unfortunately, nothing. Whether your work environment is hosted on the cloud or on-prem, as long as your team is internet-enabled, we are all vulnerable to some degree.
But now that you know what and how it can happen, there’s no need for you to be caught short!
Here are some tips that can help you prepare and minimise the damage
Host your data in the cloud
Whilst it may sound counter-intuitive to push all your company’s precious information into what seems like a public realm, hosting your data in a privately-controlled space that is accessible anywhere, anytime AND has the benefit of world-first security (such as Microsoft’s Azure cloud platform) is the best way to make sure you can recover with minimal damage.
Backup, backup, backup
We all know how useful backing up our information is, but so many of us are “too busy” to frequently save our work done in a duplicate format elsewhere. There are numerous backup solutions available (free or paid for!) and, if you can’t make time to backup every day, simply choose one that does it for you automatically.
Scrutinise your inbox
In this case, curiosity can kill the (lol)cat. Spam emails are getting cleverer everyday. If you receive an unexpected email from your bank, post office, or other “official” looking entity, double check the mail headers, look closely at the from email address, or simply forward it to that entity. Don’t download the attachments or click on the links within!