Vulnerabilities are exploited

Cryptoclocker attacks are designed to hunt down even the smallest of vulnerabilities in your IT systems and once in, wreak havoc with your productivity. One of Plan B’s customers discovered this when a cryptolocker attack managed to infect an admin account that was left without adequate security. Our customer, a legal firm, contacted Plan B at 17:35 last Monday evening to report that their systems had been hit by a cryptolocker infection. They wanted to explore how we could help them return to full productivity. There were 4 servers infected that we protect with our fully managed disaster recovery services, including a domain controller, SQL server, file server and terminal server.

The Plan B team had no hesitation around our ability to recover this customer quickly thanks to a ‘last known good’ copy of each server that we hold, which has been successfully tested and certified within the previous 24 hours. After discussing recovery options with them to make them aware of which option would be the easiest in both the short and long run, it was decided that an export server would be the most efficient route to getting staff working on Tuesday without business interruption, whilst giving them time to address the cryptolocker infection. The customer’s recovery image export of approx 1.5TB of data started exporting at 19:03 on the Monday and finished exporting 2 hours and 51 minutes later at 21:54.

Two of our senior engineers subsequently arrived at our datacentre at 22:15 to complete the configuration of the export server and have it ready for shipping. The export server was handed over to courier at 23:45pm, to take it to the customer site.

The export server arrived onsite at 08:00 the next morning, and was handed directly to our IT contact who is authorised by a security protocol to activate the invocation procedure. Because Plan B engineers had pre-configured the server beforehand, the customer just had to plug in the device and started the virtual machine.

The customer shut down the infected servers and had his users working from the supplied recovery VM. This enabled him the time to start up the infected machines in a sandbox environment to clean them up from the cryptolocker issue.  The customer ran all workloads from the export server for the remainder of the week, leading into a weekend when the customer had the chance to migrate the machine from the export server back over to his live platform. Three out of  four of the infected machines were migrated back to the live platform that weekend, with the larger file server migrated over a second weekend due to its increased size.

The customer utilised the export server for 2 weeks in total, at no cost because they subscribe to our fully managed service, affording him a stress-free period to deal with the infection and migrate back to his production systems without loss of productivity.

Having investigated the issue post event with the customer, the cryptolocker attack originated from the Terminal Server. The files that had been infected were modified by a domain administrator account – which will have full authority over all machines in the Active Directory. The infection had subsequently spread to Domain Controllers in the estate which includes branch offices. The customer’s SYSVOL was infected which was a big risk because every machine will interact with this directory share and so would be vulnerable to the attack.

The customer was very thankful that we could help with this issue and delighted with the speed that we gave him his systems back. If you’re concerned over cyber threats , or have encountered an attack and would like some advice you can speak in confidence to Plan B on 08448 707999.