What Should You Do When Your Data Is Held for Ransom?

What Should You Do When Your Data Is Held for Ransom?You come into work on a typical Monday morning… and find something devastating. One of your machines was infected with the Crypto virus, which then spread to your main servers.

All of your files are locked.

But it gets worse.

The virus owner is demanding you pay a ransom – or lose your files forever.

Does that sound like the plot of a modern action movie? Well, sadly, it’s not. It happens to businesses every day. In fact, it happened to some of our IT support clients.

Lessons From a Near Death Experience

“It was a near death experience for us. One more day being down and we would literally have been out of business.”

This statement may seem dramatic, but it is actually a quote from one of our long-time IT support clients. And it was all too true. Due to several missteps by their cloud provider, the Crypto virus caused 7 days of downtime.

This was no mom-and-pop shop, either. This was a 50+ employee company with multiple locations brought to a standstill due to this horrible virus.

No business wants to be in this situation. Most businesses couldn’t survive a full week of being completely down. So you might be asking, What can I do to avoid getting a virus?

First, let’s set the record straight. It is a myth that you can secure your business so tightly that you never get a computer virus. Even with the best firewalls, anti-virus software, intrusion protection, Internet filtering and policies in place, your system may still get infected at some point. Why? Because…

  1. Virus protection is a cat-and-mouse game. New viruses are created and released every minute, and antivirus software must be updated to contend with each one
  2. People are only human. Human error is the number one reason companies get infected. Well-meaning employees click on the wrong thing while surfing the web or reading emails, or they open infected attachments
  3. Many hackers are diabolically smart. Many viruses are cleverly disguised to look safe and legitimate. That infected email might have a very real-looking logo from a major company. That attachment might look like a resume PDF – one you’ve actually been expecting – only to reveal itself as a virus once you open it.

So what’s a business to do? Beyond the IT team doing all they can to protect the business against viruses, the most important deterrent is user education.

Do all of your users really know what not to click on and what not to open? Do they know what telltale virus clues to look for? Hackers are getting more clever and sophisticated, so this education has to become even more of a priority today. Many users are so busy, they quickly open and click just to move on with their day. But taking that extra few seconds to assess before they click might mean the difference between life and death for your business.

Your Business EMTs: The Response Team

Once a virus is found, the company must move quickly into an organized response process. This should include a designated and well-trained response team that can jump right into action. Whether that team is made up of internal IT people or a third-party IT support vendor, identifying this team before a virus hits is critical.

In the past week alone, we have seen 5 clients’ systems become infected with dangerous viruses. Most of them were infected with some form of Crypto virus, which locks you out of your files (encrypts them) and tells you to pay a ransom to regain access. If you don’t pay the ransom within the “kidnapper’s” timeframe, your files will remain locked forever.

So if you are hit with a Crypto virus, what steps should you take?

  1. Inform your IT staff so they can begin the response process and investigate the severity of the infection.
  2. Every virus comes with a “payload.” This is what really does the damage to your systems. If the payload has not been activated, your IT team may be able to remove the virus without any damage.
  3. If the payload has been activated with a Crypto virus, this means you will be unable to access your files – and you must choose one of these two options:
    1. Determine when the payload was activated and restore clean files from a backup prior to that date and time.
    2. Pay the ransom and hope the hacker will unlock your files.

Choosing 3a or 3b is a business decision – not a technical one. Because of the financial implication (in money and downtime) in paying a ransom for data, only the business leadership can make this call. To make that call wisely, though, they need the best information their IT team can provide.

To Pay or Not to Pay

Just this week alone we have seen both cases: paying ransom and restoring from a backup. In all cases the clients were able to get their data back and get back to business, but only after several days of costly downtime.

But let me be very clear: paying the ransom is no guarantee. In that case, you are trusting the hacker (the person who infected your system in the first place!) to keep up their end of the bargain.

Because no one can guarantee paying the ransom will work – or work long-term — many companies choose to restore their data from backups. This can be a relatively easy endeavor, or one that is very painful. Success depends on knowing these key pieces of information before restoring from a backup:

  1. Do you know when the last date/time your data was clean, and do you have backups from that date and prior?
  2. Is the good data backup prior to the virus still viable? For example, if the last known good backup was 30 days ago, that data may be so old that restoring it would useless.
  3. Are the backups complete server container backups or only file backups? This is VERY important. Server container backups may be restored with the underlying server software, software application and data all at one time, which only takes hours. File-level backups require manually rebuilding the servers, configuring them, loading the software, configuring it and finally loading the files — which can take days.

In the nightmare case of the business that was down for over seven days, critical events happened that worsened the situation. First, the Crypto virus response timeframe had lapsed, so paying the ransom was no longer an option. But second — and worst of all — the backups the cloud provider had were not server container backups (which the vendor had promised they would be), but file-level backups only.

This last problem forced us to work with the cloud provider to restore the file backups. To do this, we had to figure out the last day the data was clean. Only then could we figure out where to start. However, before actually restoring the files, we also had to do the following.

  • Rebuild the virtual servers
  • Load and configure Windows Server
  • Load and configure the software applications (e.g. QuickBooks)
  • Restore files to each server
  • Reset the printer settings, file sharing settings, and user settings

If the cloud provider had done their part right, this would have taken 2 days. But unfortunately they made mistakes at almost every step, creating a lot of rework for everyone. The end result was that it took over 7 full days and over 130 hours from our team to help them get it right.

Do that math. That’s 7 days x 24 hours — 168 hours of downtime. That shows you just how intense (and expensive) getting a virus can be.

What You Should Do Right Now to Protect Your Business

In the Fluid cloud, our proprietary cloud solution, our backups have multiple layers and always include server container backups. In this same situation we would have had them back online in less than 24 hours.

No one wants a computer virus, and certainly no business wants to be down a day — much less a week. Here are some steps you can take with your business to be more proactive, so you can better avoid viruses and be more prepared to respond if you do get hit:

  1. Educate your management and users on the importance of information security. Provide them with simple tip-sheets of dos and don’ts, and follow it up with face-to-face training.
  2. Ensure your IT department or provider has the right type of data backups — and that those backups are current.
  3. Define and confirm who is on your response team and what their process is. This way they are ready to respond in a calm and methodical fashion if and when a virus infects your systems.
  4. Most importantly, be prepared. Regardless of all the precautions and preparations, you still may get infected at some point.

If you have not done ALL of the above, you are at serious risk of getting a computer virus, and of business downtime. Contact us at Fluid IT Services and we will be glad to help fill the gaps!