This content is part of the Essential Guide: The modern disaster recovery market explained

Ransomware recovery cases show it's possible to come back from attack

Real estate, police and law organizations all had one thing in common: successful ransomware data recovery. These case studies detail how they were protected.

This is the second part of a two-part series exploring the rise of ransomware and how organizations can best be...

protected from it. In part one, statistics showed the prevalence of ransomware, and analysts weighed in on best practices and offered thoughts on what vendors can do for protection against it. Part two provides case studies of organizations that experienced a successful ransomware recovery.

Though the concept of ransomware dates back decades, the problem has hit an epidemic level in the last couple of years, with the FBI estimating it to be a billion-dollar "industry" in 2016.

This malware that encrypts the victim's data and demands payment for the decryption key often gets into a system through an infected email attachment or website. The case studies below detail how organizations were hit and their ransomware recovery strategy that followed, with the help of vendors Reduxio, Nasuni and Carbonite.

Other vendors that are out in front of the ransomware outbreak include Unitrends, Zerto, Commvault, Acronis, Barracuda, Infrascale, Asigra and Datto.

Barnstable Police vs. ransomware

In July 2016, the Barnstable Police Department on Cape Cod deployed Reduxio and its BackDating technology. The next month, the Massachusetts department was hit with a ransomware attack. Barnstable didn't pay the ransom, avoided major data loss and completed a full systems recovery within a half hour.

Without Reduxio, the ransomware recovery would have taken several days, said Craig Hurwitz, IT director at the police department, a 130-person team in a tourist town.

"Given that we are a 24/7/365 operation whose mission is to serve and protect our citizens, this delay would have been unacceptable," Hurwitz wrote in an email. "As a result, we would have had little choice but to pay the ransom.

"We previously had legacy backup and storage, which required frequent snapshotting. Everything was time-consuming to back up and recover, and therefore very slow."

Reduxio's HX550 became the primary storage system, with hundreds of virtual application servers and desktops migrated from the legacy system.

The ransomware hacker penetrated the systems, locking the department out of certain files, Hurwitz said. While the department was still working to figure out exactly how the attack got started, it was seeing new file extensions on its data, indicating that the data was being encrypted. The department could not open certain files and received a follow-up email asking for payment in order to regain access to the data.

Barnstable's IT team quickly made a call to the Reduxio support team after noticing the attack, said Mike Grandinetti, chief marketing and corporate strategy officer at Reduxio, based in San Francisco.

Hurwitz credited Reduxio's BackDating for allowing the department to recover from the attack in about 30 minutes with no significant data loss.

"Being able to recover from a ransomware attack or any outage has to do with the organization's data backup schedule," Hurwitz said.

BackDating acts as a time machine for data, cloning any volume to any point in time for data recovery or application testing purposes, according to the vendor.

Lewis Group vs. ransomware

The Lewis Group of Companies, a real estate developer based in Upland, Calif., was hit with the Cryptolocker strain of ransomware through an email-based phishing attack one night in June 2014 and didn't find out about it until the next morning. Thankfully, the computers there regularly shut down at 2 a.m., so the ransomware was not able to encrypt files after that time, said Michael Viselli, senior information services project manager.  

After an employee reported the incident, the IT team scanned the network to find out the extent of the damage. The attack penetrated an employee's machine, her directory and a shared volume. The ransomware recovery solution: Detach the volumes from the public file share and use cloud NAS vendor Nasuni's snapshots to restore the volumes back to the moment before the infection.

"Everyone came in, and it was like nothing ever happened," Viselli said.

Nasuni provides distributed organizations with cloud-based NAS. Backups are stored both locally and in the cloud.

The Lewis Group has about 500 employees and 35 offices across California and Nevada. But the attack only affected one office. The folder hit was backed up every 10 minutes, and the employee affected was working on email. The physical PC had to be wiped to ensure it was clean, but the company was able to restore all of the data. 

For protection against ransomware, Viselli urged organizations to make sure backups are in more than one place. In addition, he recommended backing up often and being careful about opening attachments in emails.

"It really paid for itself," Viselli said of the Nasuni system.

Carbonite's ransomware recovery

Kimmel & Silverman's ransomware recovery strategy involved restoring 287,000 files in less than 24 hours with Carbonite, the cloud backup provider the law firm has used since 2012.

The firm, which has offices in several states and about 50 employees, was hit in June 2016 with a variant of the Locky virus, said Jeff Ehrmann, the firm's IT director.

An employee at the firm's Pennsylvania headquarters couldn't open files. Ehrmann found the .locky extension on files on the employee's computer, cleared out the temporary folder where problems often occur and disconnected the computer from the network.

 Locky file extension
This set of samples shows encrypted documents with the .locky file extension, as well as the recovery instructions.

The ransomware was downloaded via a macro inside of a Word document, which was hidden in a zip file attached to an email. It was downloaded to and executed from the user's temporary folder, but the affected files were on two file servers and also that particular user's computer -- documents and the desktop.

The computer had been running for 12 hours, so the virus had time to affect hundreds of files, Ehrmann said. The firm lost an estimated 500 to 1,000 documents -- ones it had worked on that day -- but it was able to retrieve some of them through email. The firm never received a ransomware message.

Carbonite customer care immediately bumped the problem up to higher-tier support and found the firm's backup. The nearly 300,000 files restored were not all encrypted by the virus, but Carbonite wanted to make sure the firm had a solid backup, Ehrmann said.

To help with protection against ransomware, Ehrmann recommended users notify IT about suspicious emails, which could contain broken English and misspellings.

"Educating users is probably your best defense," Ehrmann said. And also: "Backup, backup, backup."

In a similar way, C & C Realty Management LLC of Augusta, Maine, was infected with Cerber ransomware after it received an email from someone posing as a candidate for a job or internship. The firm immediately contacted its IT contractor, and disconnected and shut down all servers and computers linked to servers. The attack affected areas of the firm's productivity for a couple of days.

We always have to just stay one step ahead of the bad guys. Cybercrime is a big, big business.
Norman Guadagnochief evangelist at Carbonite

The firm did not consider paying the ransom because it had backed up information and could restore, said CEO Cathie Whitney. It also anticipated the ransomware recovery taking longer and costing more than it did. 

"The data on the server backed up to Carbonite was recovered by them in full -- we did not lose any of that data," Whitney wrote in an email. "In fact, Carbonite stepped right up when we contacted them and offered to manage the restoration for us, which they did promptly, and a day later that server was back and available to us. Information on a separate shared drive with manual backups by staff was affected, and that backup did require some duplication of effort for a few days' loss of some documents."

Education goes a long way toward protection

Carbonite unveiled a website last year that serves as a one-stop educational resource about ransomware, including breaking news, technical analysis, actionable tips, research and security best practices.

Norman Guadagno, chief evangelist at Boston-based Carbonite, offered suggestions for protecting against ransomware attacks:

  • "When in doubt, don't click."
  • Learn to identify phishing -- for example, if a name doesn't match the email address.
  • In a shared environment, "if you see something, say something," don't just walk away; it's important to isolate the attack as soon as possible.
  • Have antivirus protection.
  • Change passwords frequently.
  • Have backups.

"We always have to just stay one step ahead of the bad guys," Guadagno said. "Cybercrime is a big, big business."

Next Steps

Proper backup strategy can aid the fight against ransomware

Ransomware attacks getting smarter and nastier

Secure your network, fend off ransomware infections

Dig Deeper on Disaster recovery planning - management