Ransomware Case Study
Organizations and businesses are cybercrime targets.
Whether or not you're prepared is up to you.
Defending Your Organization from Ransomware
Arctic Air has been producing quality, dependable and affordable commercial food storage refrigeration units since 1995. Their product line includes stainless steel refrigerators, freezers and food preparation tables. Arctic Air was attacked by ransomware in April of 2018. Their preparedness allowed them to minimize their costs, downtime and data loss.
The Day of the Attack
On an otherwise normal Monday morning in April 2018, eleven Arctic Air employees arrived at work to find they could not access files, send emails or use the internet. Chuck Leukuma, Controller at Arctic Air, soon emailed Scott Stone, IT Services Engineer V at Loffler, for assistance. Stone remotely accessed their system and within the hour confirmed Arctic Air had been hit with ransomware.
“Looking back, it was a small bump in the road,” Leukuma said, “but at the time, we didn’t know how much it would affect us.”
What would this cyberattack cost Arctic Air? Could the data be restored? In the generally quiet and reserved Arctic Air office that day, no one panicked, although it is fair to say there was frustration, Leukuma said. Loffler IT engineers were on-site at Arctic Air by 11:00 am and first focused on getting all desktops access to the internet, so employees could use their cloud-based accounting software. Employees had no access to files stored on the server, which made up much of their typical daily work.
“We wanted to get back up and running as soon as possible,” Leukuma said.
The majority of critical files were stored on their server, which was backed up and, more importantly, able to be restored. The Loffler IT engineers were on-site at Arctic Air until 9:00 pm that day, when they went home and allowed server fixes to run overnight. The next morning, desktops were working, and the Loffler team continued into the next few days restoring files from backups taken from the nights before the attack. The total labor cost to restore files from backup was $4,500.
Request a Free IT Consultation
How Ransomware Works
Ransomware commonly originates when someone clicks to download an infected email attachment or link from an unknown source. This malware encrypts files and makes them unusable throughout the network. To recover the files, a sum of money is typically demanded by the hacker. An attack like the one at Arctic Air would likely be ransomed for $20,000 to $30,000, payable in bitcoins. Arctic Air, however, did not need to pay the ransom because they were prepared with restorable file backups.
Although the decision of whether or not to pay the ransom is a business decision ultimately left up to the affected business, Loffler follows the instructions of police agencies like the FBI, which recommend organizations never pay the ransom.
“Sometimes they pay and never get files back,” Stone said, “or the hacker can come back and ask for more.”
With ransomware comes a risk of data breach, but not always. Generally, ransomware encrypts data, demands money to have that data unlocked and a data breach is not an issue. In the case of Arctic Air, data was encrypted locally on their server, and no evidence of a data breach was discovered.
Lessons Learned
In the end, the damage done to Arctic Air that day was minimal. They had much to celebrate, as they were well-prepared with data backups. The event resulted in some valuable lessons all businesses can benefit from when it comes to ransomware:
Back Up Data and Make Sure You Can Restore It
“Our general advice for any ransomware attack is to be prepared with good backups,” Stone said. Because Arctic Air was prepared, they were able to unlock their files without engaging the hacker or paying the ransom. Many other organizations are not so prepared.
End-User Education
Because ransomware is most likely to result from an end user clicking a link or downloading an email they should not, it is best to be proactive about educating all employees on best practices and how to avoid phishing scams.
Know Who to Call
Companies without a trusted IT partnership may handle ransomware attacks blindly. They don’t know what to do, who to call or how to mitigate risks. Because Arctic Air is a valued Loffler client, Loffler IT engineers knew their system well and could help them immediately.
Do Not Save Files to the Desktop
While Loffler engineers were able to restore some desktop files, others, like a shipping schedule for the warehouse, needed to be rebuilt. A policy to always save files on a server, where they are backed up, is highly recommended.
Looking to the Future
Arctic Air will use this ransomware attack to further their data backup abilities. Their new solution will mean faster file restoration and backup of desktop files. If they are hit with ransomware again, their downtime and restoration costs will be cut in half. The average time to restore each workstation was two hours. With the new solution, that time will be reduced to 15-20 minutes per work station, or 1/6 the time. When paying per hour, that results in a significant decrease in cost to recover from ransomware.
“This event reinforced our need to do what we should have done six months ago,” Leukuma said.
Ransomware can happen anywhere and have far worse consequences than what Arctic Air saw. Their data was backed up and able to be recovered, with no evidence of data having actually been stolen or otherwise compromised. At the end of the day, they lost some data that had been saved to employees’ desktops and not backed up, but everything that was stored on the server was able to be restored.
“It was painful for the day, but nothing that would put us out of business,” Leukuma said.