3 ransomware detection techniques to catch an attack How to prevent ransomware: 6 key steps to safeguard assets

Ransomware attack case study: Recovery can be painful

Even with full backups and no permanent data loss, recovering from ransomware can be expensive and painful, as evidenced in this ransomware attack case study.

Several years ago, seasoned IT consultant David Macias visited a new client's website and watched in horror as it started automatically downloading ransomware before his eyes. He quickly unplugged his computer from the rest of the network, but not before the malware had encrypted 3 TB of data in a matter of seconds.

"I just couldn't believe it," said Macias, president and owner of ITRMS, a managed service provider in Riverside, Calif. "I'm an IT person, and I am [incredibly careful] about my security. I thought, 'How can this be happening to me?' I wasn't online gambling or shopping or going to any of the places you typically find this kind of stuff. I was just going to a website to help out a client, and bingo -- I got hit."

Macias received a message from the hackers demanding $800 in exchange for his data. "I told them they could go fly a kite," he said. He wiped his hard drive, performed a clean install and restored everything from backup. "I didn't lose anything other than about five days of work."

Ransomware case study: Attack #2

A few years later, in 2017, another of Macias' clients -- the owner of a direct-mail printing service -- called to report he couldn't access his server. Macias logged into the network through a remote desktop and saw someone had broken through the firewall. "I told the client, 'Run as fast as you can and unplug all the computers in the network,'" he said. This short-circuited the attack, but the hacker still managed to encrypt the server, five out of 15 workstations and the local backup.

"What made this ransomware attack so bad was that it attacked the private partition that lets you restore the operating system," Macias added. Although the ransom demanded was again only $800, he advised against paying, since attackers often leave backdoors in a network and can return to steal data or demand more money.

Fortunately, Macias had a full image-based backup of the client's network saved to a cloud service. Even so, recovery was expensive, tedious and time-consuming. He had to reformat the hard drive manually, rebuild the server from scratch and reinstall every single network device. The process took about a week and a half and cost $15,000. "The client was just incredibly grateful that all their data was intact," Macias said.

Although pleased the client's data loss was negligible, Macias wanted to find a more efficient, less painful disaster recovery strategy. Shortly after the second ransomware incident, he learned about a company called NeuShield, which promised one-click backup restoration. He bought the technology for his own network and also sold it to the client that had been attacked. According to NeuShield, its Data Sentinel technology works by showing an attacker a mirror image of a computer's data, thus protecting the original files and maintaining access to them even if encryption takes place.

Ransomware case study: Attack #3

In 2019, two years after the printing service's first ransomware incident, the company owner was working from home and using a remote desktop without a VPN. A hacker gained entry through TCP port 3389 and deployed ransomware, encrypting critical data. But Macias said NeuShield enabled him to restore the system with a click and reboot. "When they got hit the first time, it took forever to restore. The second time, they were back up and running in a manner of minutes," he said.

I thought, 'How can this be happening to me?'
David MaciasPresident, ITRMS

But while he sings NeuShield's praises, Macias noted the technology doesn't negate the need for antivirus protection to guard against common malware threats, or cloud backup in case of fires, earthquakes or other disasters. "Unfortunately, there's no one-stop solution," he said. "I wish there was one product that included everything, but there isn't."

Macias said he knows from personal experience, however, that investing upfront can prevent massive losses down the road. "I've had clients tell me, 'I'll worry about it when it happens.' But that's like driving without insurance. Once you get into an accident, it's too late."

Next Steps

How to create a ransomware incident response plan

Best practices for reporting ransomware attack

How to remove ransomware, step by step

17 ransomware removal tools to protect enterprise networks

How to find ransomware cyber insurance coverage in 2022

This was last published in March 2021

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing