What happens when your Security gets Compromised?

We recently had a Sage 300 (formerly known as Accpac) client who experienced a ransomware attack, learning the hard way that there were gaps in their IT security that could have left them with nothing. As the role that technology plays in business grows, so does the need for more robust security measures, however it often takes a run-in like this before a business realizes how important IT security measures are.

To give some context, malware, short for ‘malicious software’, refers to hostile or intrusive software such as computer viruses, Trojan horses, ransomware or spyware (to name a few), and you never know where it’s going to come from. Malware is often disguised as normal files or interactions, meaning there are endless routes it can use to sneak into your system.

In recent years, a particularly concerning type of malware has picked up traction: ransomware. Ransomware is a specific type of virus that encrypts a victim’s files (meaning that they can’t be opened or accessed), and demands a ransom for the decryption & return of the files. Given the opportunity for financial gain, ransomware has become one of the most common and dangerous types of malware.

For our client ransomware was a huge wake up call, since it was only after the fact that they learned the simple measures that could have been taken to enhance their IT security and prevent the attack completely.

Case Study: Manufacturing Company
Discovering the Issue

While going about their daily tasks, one of our Sage 300 clients noticed that something strange was going on with the files in the shared folder on the company network. Some of their files weren’t working and on top of that, Sage 300 wasn’t working properly either. In this situation, the first step is normally to call your Managed Services Provider (MSP), but since they didn’t have one they contacted us, their Sage 300 partner, in the hopes that we could help them figure out what was going wrong.

Since we weren’t their MSP, we couldn’t gain the access we needed remotely to assess their servers and the situation, so rushed down to visit them on site. When we arrived we discovered that the reason their Sage 300 wasn’t working was because the files it needed were encrypted. Their back-up server had been infected by ransomware that had gone completely undetected for an entire month. The ransomware was only noticed when it started to spread to the files that the employees used to complete their regular tasks, which meant it had time to gain traction and make its way through the company’s back-ups.

Stopping the Ransomware & Restoring Files

It’s important to note that in the majority of ransomware cases recovering the files is difficult or even impossible, so you are faced with two options: paying the ransom or cleaning your system and restoring the files from a back-up. Paying the ransom is extremely ill-advised because there is no guarantee that your files will be released and even if they are, you will likely be victimized again because the ransomware attack was successful and lucrative for the attackers.

The first step is always to stop it from spreading to minimize the damage. They had two servers, the main server and their server for back-ups, so we disconnected both to ensure that the malware couldn’t infect the network and people’s workstations. Luckily in this situation it was easy to contain the ransomware because it hadn’t spread into the network yet, but the client still faced one of the worst situations: the ransomware had infected their main server and their back-ups, so there was an extremely high chance they would lose all of their data.

In an ideal situation, a business should have their data backed up in three different ways/locations. This ensures that there will always be a working back-up that can be restored immediately following a disaster, and without issue. This is common for businesses that have a Managed Services Provider, however in many cases businesses only have one back-up, which leaves them vulnerable for more severe repercussions following a malware attack.

Thankfully the damage to one of the back-up tapes was significantly less than the rest, so our team was able to salvage almost all of the manufacturer’s data. The back-up server had to be re-built from scratch and systems were down for 3 days while our team wiped the system clean of the ransomware, recovered most of the data (one day of file changes were unrecoverable) and restored everything back to normal. This however, is not the norm – this client was extremely lucky. In the majority of cases similar to this one, where the main server and back-ups are effected, everything is lost.

How did it happen?

It’s difficult to pinpoint the exact origin of the attack, but it’s clear that it started on the back-up server and spread from there. They were running regular back-ups and their controller was checking to see that the back-ups were completed but they made one major (and common) error: they didn’t check that the back-ups were actually working. As discussed in our previous blog about data back-ups and disaster recovery, many back-ups go untested and over 50% of tape back-ups fail, which means many businesses only discover faulty backups when it’s too late. There were a number of factors that played into how this company got ransomware, but we can say with certainty that had the back-ups been tested the ransomware would have been discovered sooner and its impact could have been minimized.

Enhancing IT Security

On paper it seemed like they were doing everything right, they were running regular back-ups, they had a firewall and anti-virus, but this client is the perfect example of how a few small cracks in security can quickly turn into a massive IT security breach. Their system was flawed because they only had one form of back-up, their backups were never tested (when optimally they should have been tested weekly), their firewall hadn’t been updated in 6 years and their anti-virus wasn’t sufficient.

Following this experience, the Sage 300 client started working with us as their Managed Services Provider (MSP) as well, which has allowed them to enhance their IT security exponentially, and transition into being more proactive with their security. Part of what allowed us to address the attack so quickly and effectively though, was our knowledge of their ERP and surrounding systems. Vince Andriani, IT Service Manager at The Answer Company explains that “the primary goal of a Managed Service Provider is to be proactive as opposed to reactive. With active management and monitoring, situations like this can be mitigated and in most cases avoided”.

Having an MSP helps take the pressure off of you to catch security breaches. Depending on the degree of managed services that are chosen, an MSP will run multiple back-ups in different locations that are tested regularly, your network will be monitored for security threats, and any sign of a malware attack will be flagged and addressed immediately.