C1 Blog

Lessons From a Survivor of Ransomware

Written by Stephan George, Solutions Architect | Jun 3, 2021 2:00:00 PM

My first response was, “Not possible!” Turns out, it was very possible and very much a reality. To be fully transparent, I thought my life and professional career were over in that moment; 25 years down the drain just like that! I took the cyberattack very personal.

As an Executive Director at one of the largest school districts in my state, I had officially become the next victim of ransomware.

“Cyberattack” and “ransomware” are not synonymous terms. A cyberattack is the event, while ransomware (a form of malware) is the engine for how the cyberattack is facilitated. A cyberattack can leverage one or multiple of the following types: brute-force, credential stuffing, malware, and phishing. Ransomware is commonly distributed through a phishing email. Phishing emails typically have a hyperlink to a file that automatically executes once downloaded. From there, the malware can give the cybercriminals access to your network while ransomware primarily encrypts your Mac or Windows-based machine. For the record, ransomware can spread throughout the rest of the network. Cybersecurity awareness training has been known to help reduce phishing attacks, but it's never zero.

Ultimately, I gathered my bearings and then met with my team so that we could do what we do best. We became survivors of ransomware versus simply becoming victims: we were able to restore services without paying a ransom, all within a short period of time and with no data exfiltration.

I also learned an important lesson: it wasn’t personal, it was just business.

A magazine article from 2019 reported that personal information is significantly more valuable on the black market compared to stolen data and financial information. This fact means that cyberattacks and data breaches against education and municipalities will continue to set new records and expose public sector entities. For my school district, this could have meant costly fines, downtime, compromised data, revenue loss, and reputational damage.

The most unfortunate and unbalanced equation regarding ransomware is the fact that cybercriminals have a nearly endless amount of tries to launch a successful cyberattack. They just need it to work once, while companies and organizations must be at their best 100% of the time to keep just that single instance from taking root. It’s impossible math for any organization to solve, especially a school district. There aren't enough time and resources and user training; there is no perfect defense. In the real world, being at your 100% best does not mean you are exempt: it means you have a Plan B to recover, and that you’ve applied due diligence to ensure critical business functions will continue to operate despite serious incidents.

Due diligence (aka Data Protection and Cyber Recovery) can be qualified using a Good, Better, Best methodology.

Figure 1. Good, Better, Best Due Diligence. Adapted from “Dell Cyber Recovery Data Sheet” by Dell Technologies. Retrieved April 2021.

Best Better Good
“Better” items “Good” items 3-2-1 Backup
Operational air gap with data isolation and immutability Insider protection Retention lock and immutable copy
Full context indexing with machine learning analytics Multi-backup software vendor support Elevated security credentials
Robust recovery tools    
Sheltered Harbor Program    

 

Most ransomware infections occur outside working hours, which is significant for us to consider in education and other verticals because most IT shops are primarily 9-to-5. The overall situation becomes more dire when you factor dwell time. Loosely translated, dwell time is the undetected period from the initial compromise to the actual cyberattack. Tragically, dwell times can range from a few days to several months.

The methodologies included in Figure 1 can be implemented without the assistance of a solutions provider, but do you really have time to channel decades of industry experience into becoming a cybersecurity expert before the inevitable? More to the point, would you rather be proactive or find yourself cornered, begging leadership to pay a ransom in hopes of returning to business as usual?

ConvergeOne knows and understands that building a Cybersecurity posture is a continuous journey, not a destination. We have developed a nationally-recognized architecture and approach to ransomware readiness that no single manufacturer solution can provide. It allows you to restore your uncompromised data you can trust through validation, and it allows you to get back online in a separate environment even while the FBI has frozen your production environment for forensics. In many cases, you can even leverage your existing investments in the data center at whatever Recovery Maturity index you are currently operating at. We’ve helped numerous entities across the country have an answer to their boards, councils, and leadership for not only how to weather ransomware but also how to understand their true preparedness at this very moment for an attack.

Allow us to be the partner who understands the transformative impact that Data Protection and Cyber Recovery have on your business and fully appreciates time to value.