| | |
|
| |
| | |
|
|
| | |
|
Surviving a Ransomware Attack with Tape Air Gap
Senior Director of Enterprise Business Solutions, responsible for the entire IT infrastructure at Spectra Logic. In his presentation, Tony reveals the details of a ransomware attack suffered by Spectra Logic and how his organization prevailed without paying the ransom demand, thanks in no small part to off-site air-gapped tape for safe and unaffected recovery.
Transcript:
hello everyone uh I am Tony Mendoza the
senior director of it it's spectralogic
uh I know this is the last presentation
of the day I'll try to go fast but it's
a pretty fun story to listen to
um we made we made a decision to to
share a story we were we were victims of
a ransomware attack uh in 2020 and uh
um we decided to go public with it so we
can share our experience hopefully help
somebody hopefully protect somebody's
business
um and then and then use this as a
resource so I'm here to tell you guys a
story about what happened to us and I
want to walk you through what it was
like to experience a ransomware attack
um so this is you got to remember back
this is this is May of 2020 right when
the pandemic has hit and right when we
as a company we're trying to decide how
to to keep our Workforce uh working and
effective without having them come into
the office and so we moved we moved
remote very quickly and and as we know
now two years later ransomware attacks
went up over over covid we were one of
one of the first ones attacked and and
we got to be a statistic so we find this
note
um and it and it's almost comical I mean
it's just a text message that we found
where our files should be along with an
encrypted file of our files
um and this is just a quick clip of it
it's uh it's it's like I said I I read
it and kind of scoffed at it and said
yeah this can't be real I don't know
what this is
um but then we started finding them
everywhere we're finding them on all of
our file servers we're finding them on
our database servers uh and it's
spreading like I said
so
um the next thing we do is in panic run
to my data center and we start shutting
systems down unplugging network cables
getting them quarantined because it's
it's spreading faster than than we could
talk about it spreading faster than than
we could investigate systems so we go we
go pull plugs and and this is remember
this is a Thursday morning beginning of
a work day and we're a very
transactional company we do we do lots
of transactions an hour so any downtime
is is uh you know very detrimental to us
this brought our entire business to its
knees that first day all we did that day
was assess what the damage was
um and and all we could do and this is
this is horrible is bring a system up in
quarantine watch the virus start taking
over again and go okay this system is
nothing anymore it's garbage
um and so we brought up systems one at a
time quarantine them put tools in place
um did some monitoring to them one of
the only systems that came back up was
our email server
um and and that that was that was a
Saving Grace but this is not the first
day
um first day we go through all our
systems find out they're they're dead
and uh one of my peers in the industry
said hey call the FBI which I never
thought of
um I didn't even know how to call the
FBI I had to I had to look up how to
call the FBI and and so so I'm I'm I'm
on the phone with the FBI and and it's
it's like an awkward 9-1-1 call I say
you know hey I've had a cyber security
incident and instantly they put me
through to a cyber security agent we get
assigned a field agent and and you know
beyond the Panic of that first day that
was kind of cool here's what else we
figured out with all the encryption
um and all the different ransoms that
they wanted they asked for 3.6 million
dollars in Bitcoin in five days
so naturally that's not something that
anyone keeps laying around what we did
confirm in all this was uh the way it
spread the quickest through our network
was through our backup service account
um what they did and this is brilliant
is they wipe out your backup server and
so they say okay you know I'm going to
wipe out your backup server so you
cannot restore stuff so you can pay us
some money we found out with my team
that was looking at our assets that all
of our stuff on tape was there and it
was air gapped and we had copies of it
off-site and so you know we practice
what what we preach at spectralogic and
we do use our products to to store and
back up our data
um and and so the way we were using them
we got to the point where we said okay
here's our Silver Bullet we we still
have all of our data from a few days ago
from a backup now we can start making
some decisions about you know what we
want to do we looked at our data and and
and you know figured out that we have uh
um about 30-day recovery to rebuild our
systems bring it back from tape
um it's going to be uh uh you know a
four to six week process you know going
from tape but we had it and that gave us
the confidence uh we also you know at
the same time looking at our at our data
um we use our products to also snapshot
data on disk and so now we have another
set of immutable data on disk obviously
tape was our silver bullets
um but uh but this can be faster you
know so now we're thinking all right
we're you know we're at a place here
that we don't have to pay them we have
our data yeah it's painful yeah it's
going to take a few days but we don't
have to pay and obviously what nobody
wants to pay three and a half million
dollars at any criminals uh so we
prevailed uh Nathan and I did it was
just Nathan and I we
we actually do take all the credit for
it we we go and speak about it and we
talk to a lot of people about it and my
team knows that I take all the credit
for it which I was just the ring leader
um but uh uh other than you know a few
miscellaneous files that were obviously
not important because they weren't on
our backups or or we didn't want to
bring them back uh we restored
everything we paid nothing in Ransom
um so yeah
uh here's what we figured out uh it's
not it's not a matter of if it is a
matter of when and even us we've
recovered from it we've seen it we've
been through it we know resources we've
implemented resources
um we still think it's going to happen
to us again I mean we're it's it's just
the the nature of it and and obviously
you know it's two years later now I can
see the statistics online I can see how
much it's grown I can see how much money
there is in it it's not going away
anytime soon and in my opinion it's
getting worse because of iot you know
obviously there's there's more endpoints
out there for for attack vectors and
then my favorite is uh explore air gap
and mutable data storage protection that
saved our butts
having that tape as our Silver Bullet
gave us a confidence to say okay now we
can look at other solutions to help us
recover a little bit quicker but it gave
us a confidence to really kind of tell
the the threat actors no we're not we're
locking down now and we're not we're not
paying anything and that was a scary Day
by the way
um so that's our story I tried to get
through it as fast as I can
| |
| | |
|






|
|