Olivier Le Moal - stock.adobe.co
Using an exploit in an older version of Microsoft SQL Server, cyber attackers successfully deployed ransomware in Dennis Group's network. The building engineering firm used Nasuni's built-in data protection to undo all the unauthorized encryption and restore everything back to an earlier, uninfected state.
The attack occurred on a Friday night in summer 2020 and wasn't discovered until the next morning, when a staff member happened to log on to a work laptop and couldn't access certain files. The intrusion occurred on an old SQL server running legacy SharePoint, and the attackers created admin-level credentials to compromise and spread across Dennis Group's network.
The attack had the marks of professional cybercriminals, said Calen Burr, IT administrator at Dennis Group. They had "done their homework" by researching what versions of software Dennis Group was using, figured out how to exploit them and struck when no one was around to stop them.
"The bad guys certainly knew what they were doing," Burr said.
Dennis Group uses Nasuni, a software-defined cloud file storage platform that provides a global file system front end, but stores its data in cloud object storage. Its primary function is to serve as a cloud-based NAS file system for sharing and collaboration across Dennis Group's eight offices, but it has several built-in features such as instant recovery, data protection and ransomware mitigation.
Burr used logs and auditing from security software Dennis Group had at the time to determine when exactly the intrusion occurred, then had Nasuni roll back to before that point. The rollback process took only 15 minutes, after which he had a functioning file system with no trace of ransomware. Additionally, because no one was working during the weekend, Dennis Group lost no important data to the restoration process.
Dennis Group is an engineering firm that designs and builds food processing facilities. It has built food and beverage manufacturing plants for brands such as Dole, Pepperidge Farms, Baskin-Robbins, Heinz and Kellogg's, along with some breweries and distilleries. Headquartered in Springfield, Mass., Dennis Group has four other offices spread across the U.S. and three international offices in Brazil, Portugal and Canada.
Calen BurrIT administrator, Dennis Group
Preparing for the next ransomware attack
The actual business impact of the ransomware attack was minimal, but it kicked off a wave of IT security initiatives at Dennis Group, Burr said. Roughly 80% of Dennis Group's 550 employees work from home with company-issued laptops, and the company enabled multifactor authentication for remote desktop access while revoking local admin privileges. Additionally, IT staff cleaned out old accounts with administrative credentials, and the company bought Datto as an additional layer of backup for its servers.
Dennis Group purchased SentinelOne security software, then hired a third party to monitor it, and Burr most recently finished switching Dennis Group from Cisco Meraki firewalls to Fortinet Fortigate. He is currently working on segmenting Dennis Group's network to limit the blast radius of future attacks. Even with all this effort, Burr is fully aware that no defense is bulletproof, and it's just a matter of piling layers upon layers of security to discourage future attacks.
"We're just preparing for the next time this happens. I honestly don't believe anything you can do can fully stop this from happening in the future," Burr said.
Most of the recoveries Dennis Group performs using Nasuni aren't from cyber attacks but from accidental deletions and overwrites, Burr said. He added that he's impressed by the product's ability to restore at both a granular level and at a grand scale -- especially because data protection was not the primary reason he purchased Nasuni.
Nasuni's initial intent was to be a tape replacement, Burr said. About seven years ago, Dennis Group wanted a system to store, share and archive the massive drawings and blueprints files with which it worked. Tape served that role at the time, but it fulfilled it in a slow, cumbersome way. Burr investigated cloud-based methods for letting geographically dispersed workers work on the same files, and Nasuni's cloud file system proved most ideal.
Burr recalled that one of his very first projects when he started working at Dennis Group was to try to restore data from tapes. The process was lengthy and painful, and ultimately salvaged about 10% of the data.
"I'd be fine if I never have to touch tape again," Burr said.