Hub - Security

27th June 2017

The Story of a Ransomware Attack


There’s been an exponential increase in the number of ransomware attacks, from nearly 4 million attempts in 2015 to 638 million in 2016. A recent survey showed that 54% of UK companies now admit to falling victim, with law firms a key target.

Ransomware is a type of malicious software blocks or encrypts files, with the hacker demanding a ransom payment to decrypt it. The effects of a ransomware attack are almost instant and, when hit with this type of virus, systems often go from fully functional to completely useless within minutes.

One of our clients recently fell victim to an attack, here’s how it unfolded…


How It Was Discovered

At 7am our team were alerted to abnormal activity picked up by our monitoring which indicated that that the client’s systems had been compromised. This was immediately escalated and within 20 minutes the cause had been identified as a ransomware attack.

To identify the scope of the infection all servers were accessed and files scanned. By 8.30am this was complete and it was established that 46% of the client’s estate was affected.


What Caused It

As with most infection cases, the source can’t be 100% determined – this is largely due to the design of the malicious application, which is designed to silently gain entry and infect. Although the original source cannot be located, ransomware infections mainly gain entry via an email attachment, website download, or security protocol vulnerabilities. Given the type of infection, it would indicate that the ingress method is likely email or download-based.

Despite having even the most sophisticated security measures in place, all firms are vulnerable – particularly in the absence of training for employees on how to identify and avoid threats.


How We Recovered

Once the infected servers had been identified, the hosts were disconnected from the live environment to prevent further infection. We then proceeded to initiate a snapshot recovery of each affected server from the previous day, rolling back to before the infection entered the system.

Due to proactive monitoring, the infection was detected before a ransom request was made and, critically, before the client’s employees arrived at the office for work. Total service restoration was completed by 10am, allowing them to continue with their day.


The Outcome

As the client had a business continuity plan and fully tested disaster recovery in place with CTS, we were on hand and could respond quickly to minimise downtime. The client is using storage-based snapshots which facilitates faster backups and much quicker restore times. This allowed all impacted hosts to be fully migrated back into production and access to all services to be achieved within 3 hours 30 minutes of the ransomware diagnosis. In total 2TB of data was fully restored.


What The Client Said

“We manage thousands of clients on a daily basis and IT underpins everything we do, so it’s vital our systems are available. We’ve been working with CTS for a number of years to ensure our IT infrastructure is robust and secure enough to protect against the growing threat of cyber attacks.”

“During this unexpected test we were impressed with the swift response showed by CTS in identifying and resolving the issue, with minimal input required from ourselves. The result was that we were back to business as normal within an hour of the office opening and in far less time than stipulated according to our service level agreement.”


The client has chosen to remain anonymous so as to avoid becoming a target for future ransomware attacks.


The Alternative

Had the firm not been prepared, the downtime could have been much more significant. Research has shown that 88% of law firms hit by a ransomware attack saw their systems go down for a week or more, with thousands of pounds lost for every day the systems are unavailable. 33% of targeted firms lost access to their data for more than a month, while 14% said it was unrecoverable.

Often the only option is to pay the ransom to avoid the financial and reputational damage to the firm. However, there is no knowing when the data will be released – if at all. Plus, paying the ransom will mean the business is more of a target. The hackers will most likely come back and attack again in a few months because they know the ransom will be paid.


More from our blog: Tips for firms reviewing email and cybercrime security


If you need advice or support with safeguarding your firm’s IT infrastructure click here to get in touch.



The latest from CTS