The call came in Tuesday afternoon. One of our “occasional” clients — a small company we have worked with sporadically over several years on various projects — called to say they were victims of a ransomware attack.
Hackers had encrypted not only their files but also critical business applications and data, including QuickBooks and some industry-specific software. The “bad actors” were now demanding payment.
Without getting too deep into the weeds, understanding what happened is instructive, so this doesn’t happen to you…
The client ran their primary financial and business applications on a physical server in their office. Additionally, the client also synced their Dropbox files to a folder on the server. The hackers infiltrated the server (primarily due to poor security precautions) and encrypted everything on it. Dropbox, faithfully syncing data, mirrored these encrypted changes, effectively locking all cloud files as well.
Ironically, because of separate problems the client was having with their server, they had already agreed to migrate their business applications to a cloud server hosted in Microsoft Azure.
The biggest problem was that the client was not maintaining a daily backup of their business applications, nor were they doing a 3rd party backup of their Dropbox environment (something that SMR provides as part of our regular fixed price monthly service).
Part of the benefit of moving to Azure is that it allows us to create automatic backups at the click of a checkbox. Further, the Azure backup makes it possible to restore a corrupted server in as little as ten minutes. Unfortunately, that transition hadn’t been completed before the attack occurred.
Dropbox was eventually able to provide an archive of older, pre-hack files. Further, we were able to find a vendor for the client that was able to decrypt their business application data for the moderate sum of $40,000. As of this writing, the client is finally up and running but it has been a costly hassle and a very stressful two weeks getting to this point.
Some lessons learned…
#1. Make Sure Your “Back-Up” Really Is a Back-Up
Dropbox (and other services like them) feels like a back-up.When changes occur locally, they’re instantly mirrored to the cloud, making it ideal if your device or server gets lost, stolen, or damaged. You purchase new hardware, download your files, and are back in business.
But if you are hit with a virus, malware, or ransomware attack, now that instant synching is a problem. Dropbox synchs everything — propagating the virus, malware, or encrypted files. You don’t have a backup… you now have multiple identical copies of compromised data.
A true backup doesn’t work that way. Rather, it automatically creates periodic snapshots of your entire system, safely storing multiple historical versions of local files, applications, and data, and any service you use to store information in the cloud (Dropbox, Google Workspace, Microsoft 365, etc.). In the event of an attack, users can revert to earlier, unaffected versions, significantly limiting potential damage.
#2. Don’t Buy What You Don’t Need
Following the attack, our client’s insurance company recommended a law firm which in turn recommended a data recovery service (distinct from the data recovery service we recommended). They were strongly pushing a multi-five-figure project to recover encrypted data, conduct forensic analyses, examine hardware configurations, and propose preventive measures.
Our suggestion was much simpler: For a company of their size (fewer than 10 people), it would be faster, easier, and significantly cheaper to purchase new hardware and rebuild from scratch. Investing time and money to uncover precisely how the breach occurred would provide little practical value. What truly mattered was implementing a solution to prevent future attacks.
The point is, not everyone has your best interests in mind. Especially following an attack, when you are stressed and unsure what to do, it is easy to be talked into fixes that make little practical sense.
Which leads me to lesson #3…
#3. Get Professional Help
At the risk of appearing self-serving, too much “do it yourself,” especially in areas that are critical to your business (if not existential), is a mistake. Without the required expertise and big picture perspective, you don’t know what you don’t know. Vulnerabilities in your systems or processes can linger in the background — for years — until the day comes when they cause real damage.
Our client’s on-premise server and homegrown back up “solution” were inadequate from Day One. Despite our earlier warnings about potential risks, they believed their approach was sufficient. Clearly, it wasn’t.
Prevention is Better Than Recovery
Cybersecurity threats aren’t going away. In fact, they’re getting more frequent, sophisticated, and aggressive every year.
Investing proactively in professional IT management, regular assessments of your infrastructure, and proper backup configuration and support, goes a long way to limiting your risk and maximizing the time you spend building your business.