Arvig: Responding to Ransomware
In late March 2016, at approximately 10:25 a.m. several Arvig employees received an email that was seemingly from another Arvig-owned company with a fax attached. When employees clicked on the attachment, the LOCKY ransomware was initiated and launched onto the employees’ computer. Immediately, the ransomware started “locking down” files and encrypting the information on the local computer. Then, it looked for shared file servers that it could infect.
Arvig’s systems engineers were alerted when employees could no longer access their files and began seeing .locky at the end of the file names. At approximately 1:30 p.m. the systems engineers disconnected the shared file servers so the ransomware could no longer spread. By this time the LOCKY virus had infected approximately 20 computers.
John Ketelhut, Manager of Technical Operations for Arvig said, “There is no 100-percent effective virus solution. These days it’s not IF you’re going to have a virus, like LOCKY, on your computer(s), it’s when. What you need to make sure of is that when it happens, you can recover quickly and effectively.”
What Arvig Did Right
- The company backs up its data daily, both on and off-site, and checks to make sure it’s there. Data backups are automatically checked every morning and if there is a problem it’s fixed immediately. A good data backup meant they didn’t have to pay a ransom to the cyber attackers in order to get their data back.
- Arvig was in the process of changing to their new managed services solution when they were attacked by ransomware. The computers that had already migrated to the new security software were not affected by the virus because it notified the user that the file was suspicious. Thus, it stopped employees from clicking on the link that initiated the virus. Their legacy security software was unable to detect the attack, so the virus spread to various file services.
- Arvig made the decision to reformat the infected computers, and as a result,100 percent of the data that was stored on the local drives of those computers was lost. However, if the employee had saved their data to the server, it was successfully retrieved.
- Due to the immediate response of the systems engineers, Arvig employees were only offline (without access to the file servers/data) for approximately 8 hours.
What Arvig Learned
- Educating employees on viruses is a business’ first line of defense. While the email looked like it came from a legitimate email address, upon closer inspection one could see that LOCKY had made some modifications. With the right knowledge the employees could have noticed this and deleted the email immediately.
- Have a good multi-layer defense plan with:
- good server backups, which Arvig has in place, are important to be able to recover quickly.
- a qualified support team that is able to quickly identify the issue and take action.
- access to a secondary support team that specializes in understanding threats to computers and technology
About LOCKY Ransomware
The LOCKY ransomware virus originated from Europe. The virus is sold to individuals via the dark web to extort money from businesses by encrypting their data. Once the data is encrypted, a .TXT file provides specific instructions for how you can get your data back. These examples show what the file information looks like as well as how the cyber criminals request payment for the data.