Skip to main content

The Effects Of Ransomware On West Michigan Businesses

Discover how ransomware works in this real-world client case study and explore Envizion IT’s post-infection recovery best practices.

A few days go by without another ransomware story in the news.

What used to be just one threat in the cybercrime landscape has now become the clearest and present danger to modern businesses.

Don’t assume we’re exaggerating this for effect—experts estimate that a ransomware attack will occur every 11 seconds in 2021. It’s almost certain that you will be attacked with ransomware at some point and possibly even infected. That’s why you need to take action, defend yourself, and have a recovery plan.

To better understand how ransomware affects its target, consider this real-world case study concerning one of our clients.

Ransomware West Michigan

The Attack

The infection began when a user’s laptop was compromised by a phishing email, giving the Threat Actor (TA) full access to the PC.

The TA first accessed an administrator account by sniffing traffic across the internal network. Using administrator credentials, the TA began accessing the client’s servers and exploiting and downloading data.

It wasn’t until the third day that the TA began encrypting the target’s data. Once the process was complete, they left a ransom note in every encrypted directory.

Our Initial Response

It was at this point that the Envizion IT team received the first reports of encrypted data; all of the client’s servers were encrypted to some extent:

  • The Microsoft Data Protection Management program had been encrypted
  • Roughly 7% of file server data was encrypted
  • 48/51 machine Windows-based PLCs were encrypted
  • 23 of 400 devices were encrypted (all those onsite and powered on)

We began communicating with the TA via a dark web browser message channel. The TA gave our client three days to pay a $1.5M ransomware ($1.65M after the Bitcoin exchange). When our client and we did not immediately submit to the demand, the ransom was raised to $3M three days later.

What Data Had Been Exploited?

To increase the pressure to pay the ransom, the TA provided our client with a list of files they had obtained(10,000+), some of which dated back to 2007. Our client carefully reviewed the list to identify breached Personally identifiable information (PII).

Potentially affected individuals were notified out of an abundance of caution, given that it was never confirmed if the TA had these files or not. When the ransom was not paid, the TA provided more examples of files they had obtained, including supplier contact lists and supplier invoices.

After two weeks without ransom, the TA regained access to the client’s network through a backdoor they had set up in their first attack. The TA attempted to install malicious software, but it was flagged and prevented by our EDR solution. As a last resort, the TA launched ongoing phishing attacks to regain access to the network but was unsuccessful.

4 Weeks After The Attack

When it became clear to the TA that our client would not pay the ransom, they sold the account to a larger ransomware group known as Conti. This new group uploaded proof of the exploited data to the Dark Web for the client to confirm—however, no files were located, as it was only a replica of the folder structure.

Subsequently, DDoS attacks were launched on the client’s marketing website and external ERP. Our team summarily neutralized these, limiting the effects on our client.

Furthermore, a client profile was put on the Dark Web for sale, claiming to have access to their network and files. This profile and the message channel have since been taken down.

The Effects Of This Ransomware Attack

Thanks to our quick action and careful management, the attack caused limited disruption to our client:

  • Production was down for ~48 hours.
  • ERP was operational by the third day.
  • All 51 machines were operational by the end of the week.
  • Fileserver, licensing servers, print servers, and other functions were restored within three weeks

Furthermore, we took advantage of this opportunity to upgrade legacy software. We built our Operational Technology (OT) network for manufacturing devices, isolating these devices from the Internet and client networks.

What Will Happen If You Get Infected

As we did with this client, we follow a standardized and proven process for dealing with ransomware infections:

Step One: Quarantine/Isolation

  1. Shut everything down
  2. Contact insurance company (whether you have cyber insurance or not)
  3. Notify your legal counsel
  4. Engage Security Forensics team via your insurance company or Envizion IT
  5. Security forensics role includes:
    1. Threat Actor communication
    2. Identification of entry point
    3. Identification of malware
    4. Confirmation that EDR can address malware.
    5. Reset all user credentials/password

Step Two: Assess The Situation

  1. Security forensics identifies entry points and protects them from subsequent attacks.
  2. Perform damage assessment:
    1. What has been encrypted?
    2. What is the state of your backups?

Step Three:  Remediation

  1. Set roles:
    1. Envizion IT Lead
      1. Help to set the priority of the recovery process
      2. Coordinate Envizion resources
      3. Identify key milestones
    2. Client Lead
      1. Help set the priority of the recovery process
      2. Coordinate client resources
      3. Facilitate communication with the client leadership team
    3. Communication Manager
      1. Manages communication between IR team and client organization
      2. Oversees minimum daily updates
      3. Communicates recovery timelines and upcoming threats
  2. Create clean infrastructure:
    1. either physically removing devices or building a new virtual network
    2. This will depend on the number of devices, and the current setup of operational tools
  3. Clean devices and integrate into the clean network:
    1. Reimage Device (PC, server, or other)
    2. Restore from before attack and apply EDR
    3. If a device was not infected or encrypted, then apply EDR

This Is Why Envizion IT Focuses On Recovery

All of this goes to show why our strategy focuses more on recovery than prevention. As important as it is to defend your systems, you can’t make the mistake of assuming you’re 100% safe.

The fact is that you can spend a lot of money on cybersecurity and still get infected. How you respond will determine the damage’s extent, the disruption to your business, and in the long run, how much it’ll cost you.

The Threat Of Ransomware Is Evolving

A few years ago, ransomware wasn’t a big concern.

While high-profile incidents like the WannaCry attack on the NHS were concerning, they were far and few between. If you had a recent backup of your data, you could rely on that to replace your data if it was encrypted by ransomware.

Since then, however, the way cybercriminals use ransomware has evolved. They have improved their tactics and capabilities, allowing them to do much more damage, and demand much more money. Characteristics of modern ransomware attacks include:

Expanded Timelines

Sophisticated attackers sneak ransomware into a breached network and then lay dormant for weeks or months, ensuring their entry method isn’t discovered immediately. This gives them time to embed themselves, steal data, and more, all before they activate the ransomware and infect the systems.

Without undertaking extensive forensic processes, an infected business won’t know how far back they need to go to back up their systems. Or, even worse, it will be so far back that they’ve already expunged those backups to make room for more recent versions.

Improved Capabilities

Modern forms of ransomware can even target and infect backup hard drives and cloud-based data if the connections are left unsecured. That’s why cybersecurity professionals are now recommending digitally-air-gapped backups as well.

Given the effectiveness of modern ransomware attacks, defensive methods and best practices from just a few years ago are already losing feasibility. All of this is to say that you can’t assume you won’t be infected at some point.

No matter how strong your defensive capabilities are, ransomware may still get through.  It only takes one entry-level employee clicking on an email link to let the TA into your system.  That’s why you must plan how to respond to an attack.

What Would Happen If You Were Infected With Ransomware Right Now?

Do you have a plan? Are your system endpoints protected? Are your backups recent, tested, and viable?

It’s a mistake to assume that you won’t be anytime soon just because you haven’t been hit by ransomware yet. You may think you can put off investing in effective cybersecurity support, but you may get hit without warning.

Will Cyber Insurance Protect You From Ransomware?

Cyber insurance is a relatively new type of protection designed to help cover the potentially massive expenses associated with an unavoidable data breach. It can be a worthwhile investment, so long as you know how it works.

You may be able to invest in cyber extortion coverage, which addresses ransomware attacks in which a cybercriminal keeps encrypted data inaccessible (or, alternatively, threatens to expose sensitive data) unless a ransom is paid.

Coverage of this type addresses the costs of consultants and ransoms, including cryptocurrencies, for threats related to interrupting systems and releasing private information.

The somewhat inevitable nature of modern cybercrime has led businesses to consider cyber insurance as a final layer of reassuring protection. It’s becoming increasingly necessary, as many insurance providers have begun drawing a clear line between normally covered losses and those incurred by cybercrime-related events.

That means that if your cybersecurity doesn’t meet the standards of your insurance provider, you may not be as well covered as you think.

The Problem With Cyber Insurance

The core issue is that as cybercrime becomes more common and damaging, insurers will become more aggressive in finding ways to deny coverage. Furthermore, in the case of ransomware, they may not even be allowed to cover the ransom. In some instances, paying the ransom may be illegal, as it may fund a known party deemed dangerous by the US government.

For many reasons, it’s in the insurer’s interest that their business pays out as little as rarely as possible, which means the policies will tend to rely on a series of complicated clauses and requirements that covered parties must comply with.

Another example is that Mondelez International was denied coverage for the $100 million damage they incurred from the NotPetya attack. Their insurer, Zurich Insurance, cited the obscure “war exclusion” clause, claiming that Mondelez was a victim of a cyberwar.

This is not an isolated incident. As discovered by Mactavish, the cyber insurance market is plagued with issues concerning actual coverage for cybercrime events:

  • Coverage is limited to attacks and fails to address human error
  • Claims are limited to losses that result directly from network interruption and not the entire period of business disruption
  • Claims related to third-party contractors and outsourced service providers are almost always denied

All in all, these factors have made the industry extremely profitable for insurers and extremely unreliable for businesses. Mactavish found that for every $1 million paid in premiums, insurance companies only pay out $320,000 in claims.

31 Questions Your Cyber Insurance Carrier Is Going To Ask…

  1. Does your business have an email threat protection solution in place?
  2. Does your business use an Endpoint Detection & Response (EDR) solution?
  3. Does your business use multi-factor authentication (MFA) or Two-Factor Authentication (2FA) on all user accounts
  4. Does your business test cybersecurity standards with regular vulnerability scans
  5. Does your business prohibit incoming connections using hardware and software firewalls?
  6. How many users have local administrator rights enabled?
  7. Do you have a content filtering solution?
  8. Does your business monitor traffic into and out of the network
  9. Do your staff members have access to a password manager?
  10. Are admin accounts tracked and monitored to limit and log access?
  11. Have you recently tested backups of all mission-critical data, applications, and configurations?
  12. Do you have encryption for backups (both at rest and in transit)?
  13. Do you store backups on and offsite?
  14. Do an air-gap, and separate authentication mechanisms protect your offsite backups?
  15. Does your business use a cloud syncing service? (e.g. OneDrive, DropBox, SharePoint, Google Drive)
  16. Is your cloud data backed up?
  17. Can staff members access business email on their personal devices?
  18. Can staff members send or receive PII, ePHI, or PCI data through business email?
  19. Do you have an email encryption solution in place?
  20. Is your staff regularly tested and trained on phishing and other social engineering attack vectors?
  21. Do you have a log aggregation solution in place?
  22. Do you have a Security Incident and Event Management (SIEM) system?
  23. Do you have an update and patch management system in place?
  24. Does your business monitor its network 24/7?
  25. Do you work with a third-party IT company?
  26. Do you rely on a third-party Security Operations Center (SOC)?
  27. Is all data encrypted (at rest and in transit)?
  28. Does your business have a documented policy for addressing unsafe conduct by employees?
  29. Is your business compliant with applicable regulations and standard systems?
  30. Do you have a policy limiting employees’ access to business data to resigning or terminated employees?
  31. Do you have a Mobile Device Management policy to limit risks posed to business data by your employees’ personal devices?

As you can see, there’s a lot involved in qualifying for cyber insurance. Without a comprehensive cybersecurity strategy and the proper team engagement, you may not qualify.

What You Need To Qualify For Cyber Insurance

  • Multi-Factor Authentication
  • Patching & Firmware Updates
  • Offline backups
  • Use only supported software
  • Implement policies for executing payroll, ACH, wire transfers, etc.
  • Email phishing and malware protection
  • Centralized PC Authentication
  • Remote Desktop Protection
  • Encrypted Drives
  • Admin Permission Management

Ransomware Defense Is About More Than Prevention

In the end, you can’t make any assumptions about your cybersecurity. No matter how well-defended you are, you won’t be able to guarantee that you won’t get infected by ransomware.

The right range of robust recovery capabilities will minimize downtime and costs. Our goal for our clients is that you will never pay a ransom to recover lost data.

Book a meeting with our team today for more information about our ransomware response capabilities.