It was “a really bad day” by any standard, but the day that Queensland-based Langs Building Supplies got infected with ransomware – and fixed it within hours – validated a new approach to data backup that, its CIO believes, has helped the company transform backup into a strategic asset that is still delivering value.
The multinational home building supplier’s run-in with Cryptolocker ransomware could have been a lot worse, but for a number of in-house early warning tools that detected files were being changed at a rapid rate, ICT and support manager Matthew Day explained during the recent Rubrik Forward conference.
“Everybody gets punched in the face at some point, even if they have the best plans,” Day said, “but that’s just life. And we had a situation where the people that should know better maybe didn’t think quite as fast as they normally would, and would have more elevated [access] rights than they would normally do.”
The results of the early-morning ransomware infection were quick and decisive, with hundreds of thousands of networked files encrypted by the runaway malware and rendered inaccessible.
In most companies, this would have been the point where outside experts were called in, customers began calling because key systems were offline, and executives debate whether to pay the ransom or try to recover without handing over company profits to cybercriminals.
It’s an increasingly common scenario, with new reports such as Verizon’s newly-released Data Breach Investigations Report (2021) flagging a 6 per cent increase in ransomware last year during a time when ransomware gangs became more aggressive, more targeted, and more successful – ravaging companies including Canon, Fisher & Paykel, Anglicare, and Toll Group.
Yet despite the extent of the CryptoLocker infection, Langs was operational again within an hour and had recovered the hundreds of thousands of files “in a very, very short period of time,” Day said.
“We were able to identify all the mission-critical stuff first, and business was operating at 100 per cent efficiency by an hour after the attack,” he said. “By 10:30am the attack was fully over and we’d fully recovered”.
“This is what a bad day looks like for us – not so bad, except that I’m going to miss my morning cup of coffee. And yet when I look at competitors who also happened to get that same attack the same week, some of them were still struggling with it months down the track.”
Backup as strategic tool
Day credits the company’s quick recovery to its earlier investment in continuous backup tools from Rubrik, whose continuous data-protection (CDP) platform had been storing backups of the company’s data in an online data repository that the ransomware couldn’t get to.
Once the ransomware began modifying the company’s files and the IT team became aware of its activities, Day’s team kicked off a bulk data recovery that overwrote the useless files with the last working copies of the hundreds of thousands of files
“I had a feeling it would work and we had tested what would happen,” Day said, “but seeing it live in action was another thing. If we hadn’t had it in place, we would not have been able to reopen for business that day.”
Yet CDP is about much more than just recovering quickly from ransomware, he noted: with increasing regulatory and privacy pressures pushing companies to minimise their holdings of sensitive data, there is value in being able to tightly restrict access to data backups and search for “stuff we don’t want to have... that people shouldn’t have access to.”
“To me, if you have a ransomware attack, if you know what data they’ve got access to, versus what data they don’t have access to,” he said, “that can be the difference between a reportable action versus a non-reportable action.”
Outside the scope of its ransomware attack, Langs’ CDP investment has also paid off by providing a much faster way to test the recovery of its data – reassuring the business that data can be recovered no matter what happens.
Using conventional backup systems, Day said, verifying data recovery was “such a chore” that it was only done once a quarter – but “ now we can do backup tests in five minutes every day.
“We turned our backups into something that we could use on a developmental basis, on a regular basis,” he said.
“And it’s not just about ransomware. It’s about governance and compliance, and making sure that we are doing the right thing within our organisation – and are able to prove it.”