June 29, 2021
How to Handle a Ransomware Attack in Progress
Mike Pfeiffer of American Solutions for Business shares details from how the Top 40 distributor thwarted a “zero-day attack” on its servers in this in-depth webinar.
Ransomware attacks are on the rise – and no industry is safe from the threat of cybercrime.
This spring, JBS – the world’s largest meat supplier – paid an $11 million ransom after cybercriminals temporarily knocked out plants, according to news reports. About a month earlier, the Colonial Pipeline paid about $4.4 million to hackers that took its pipeline system offline, reports show. Last year, the FBI received almost 2,500 reports of ransomware attacks – up 66% from 2019, and ransomware victims paid cyber crooks some $350 million in cryptocurrency ransom payments in 2020.
“Anybody can be a target,” says Mike Pfeiffer, vice president of technology for Top 40 distributor American Solutions for Business (ASB; asi/120075). “It’s probably a case of when you’re attacked, not if.”
ASB was the victim of a ransomware attack in 2019. Instead of paying a ransom – something Pfeiffer says was never an option for his company – the distributor was able to thwart the attack, thanks to having robust processes in place and a well-trained “go team” at the ready. In this webinar, Pfeiffer walks viewers through the event timeline, explains what protective measures were effective and shows how proper response strategies were deployed to enable recovery.
The attack on ASB came on a Friday evening, when many members of the tech team were eating out or at a company-sponsored movie night. It was a “zero-day attack,” Pfeiffer explains, referring to an exploit hackers find and leverage before it’s noticed and patched by developers. ASB monitors all its servers – both web-facing and internal – constantly to track when and if they go down. Within minutes of receiving the alert that one of the servers had gone down, the company’s “go team” – consisting of five higher-ups on the company’s technology staff – was at work addressing the problem. “Attacks can be a very dynamic situation,” Pfeiffer says. “Time can be of the essence.”
Pfeiffer recommends that the go team trains and drills regularly under multiple circumstances to make sure they’re ready to address real attacks whenever they might happen. “Pick a weird time” to do a drill, Pfeiffer says, since real-world events often happen while the technical team is at home or out and about.
The team discovered encrypted files on its server and worked quickly to wall off and contain the issue before it could do any damage. “We knew we had something serious at that point,” Pfeiffer says.
ASB first took the time to back up the ransomware environment on its servers, in case it was needed at a later date for law enforcement purposes. Then the tech team started to do active restoration of its system. Two important metrics to remember for this process, Pfeiffer says, are recovery time objective (RTO) and recovery point objective (RPO). RTO refers to how long it takes to recover your company’s servers after a disaster is declared, and RPO is how much data loss is an acceptable limit for your business. Business leaders should check with their own tech teams and partners to make sure they know each of those metrics and have tested them in a live production environment, Pfeiffer says.
For ASB, the recovery time metric is four hours and recovery point is 15 minutes’ worth of data. During the 2019 ransomware attack, Pfeiffer’s team was able to restore its servers in three hours, without losing any data.
Among the keys to its success, Pfeiffer says, was clear and calm communication, a known and tested RTO/RPO time and an experienced go team with pre-defined roles. “We were able to work together effectively to handle the attack,” he says.