In May of 2020 Spectra Logic, a Bolder Colorado based data storage and data management solutions experienced a ransomware attack while in the process of moving to remote work. The attack was made by one of the more active ransomware malware that encrypted a significant amount of the company’s data. Ransomware is a type of malware, often spread through phishing emails (as was the case for Spectra Logic), that once opened, encrypts an organization’s data, making it unavailable to access until the company pays a ransom to have the data decrypted. Note that sometimes the malware source takes the money but never decrypts the data, so paying a malware source may not result in getting your data back.
Spectra Logic did not pay the roughly $3 M ransom requested to recover their data. The company had a policy that disaster recovery and an air gap for recovery of data was a high priority. Spectra Logic also brought in experts to help make sure that recovered data was not infected. Because of its disaster recovery policies, the company had several recovery paths, including off-site tapes at Iron Mountain. These off-site backup tapes provided a true air gap with non-infected data, but in addition, the ransomware was not able to propagate through the tape library, providing an additional data air gap.
It took Spectra Logic 3 to 4 days to check and clear the ransomware infections. No customer data was lost and no data actually left the company from the attack. The company had cyber-insurance that helped defray some of the costs of data recovery, but there were still significant business costs from the incident, although not as much as would have been the case if the company had paid the ransom.
What to do?
Remote workers expose organizations to greater risk of ransomware and other malware attacks. It is not a question of ‘if’ but rather ‘when’ an organization will experience an attack.
Develop a strategy on how to deal with such attacks — with good disaster recovery plans in place that include having multiple copies of data on multiple mediums in multiple locations as well as air-gapped copies that are disconnected from the network to prevent ransomware from reaching backup data
What can you do to when this happens to you?
If your network is infected with ransomware immediately shut down and identify the malware creating the issue.
Identify the source of the infection and immediately change all passwords.
Check to see if decryption software for the specific “bad actor” malware is available. If so mitigate the malware.
If you are unable to decrypt the ransomware, reinstate the network from a known “clean” backup.