“Now I don’t know, I don’t know, I don’t know where I’m a gonna go, When the volcano blow” – Jimmy Buffett sang in “Volcano”. Ironically the LMI ransomware story starts on a quite Sunday afternoon, listening to Jimmy Buffett. Speaking with TJ Blackmon (LMI Tech Systems – CIO) “That Sunday, January 10th was the day before my birthday. I had just finished dinner and put on some Jimmy Buffett. I was just going to ease into my 41st birthday. About 10 minutes into my listening session, we began receiving network alerts.”
Our monitoring and security systems began throwing RED alerts. Within minutes the LMI Tech Systems Managed Services team, led by our Senior Project Engineer, George Copeland confirmed our worst fears. We were amid a massive Ransomware attack. Remotely, we shut down all servers and internet access. We all converged to the office within 20 minutes of the alerts. We found that all of our servers (11 Total) were encrypted with the LOCKBIT ransomware. Furthermore, about 32 workstations had some type of encryption. At this point we accessed the Ransomware site via the Dark web and what we found was shocking. Our ransom was $4.1 million dollars! Yeah… NO THANKS!
At this point we moved directly into the “How” phase. That is HOW did this happen and HOW to recover. The how this happened was and is the most difficult phase. The LMI network is protected by the most up to date security software and hardware. Despite this we were still compromised. We were able to determine that a single user was “phished” via email the Friday before the Ransomware was deployed. Phishing is the fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords. This user’s computer had at one time been accessed by an administrator account. Those administrator credentials are stored in hash files. Those hash files were taken from the user’s computer and the password was cracked for the administrator. The hackers then used this password to access the core network through an internet exposed business application. This business application utilized a piece of software that was at the time an unknown vulnerability.
So, we must recover! We utilized our Disaster Recovery Plan which is detailed step-by-step documentations for incident recovery protocols. Two documents every business should have for disasters of this nature (Backup Protection Documentation and Business Continuity Documentation). We followed our planning and practice. Our owners and board members were notified, those individuals then followed planned steps of notification to the workforce.
My team began the process of data recovery. We have a backup plan that encompasses five levels of recovery. Due to the nature of the attack, we had to reach our third level. We were able to locate the encrypted LOCKBIT seed file hidden in our system and removed it. At that time our team started reloading our entire server environment and began the restore of the core business applications. By 8am Monday morning (about 12 hours later) the core network was restored. Business could resume at almost full capacity. Within 36 hours of the attack, the entire company was operating business as usual. In total our team recovered 4 terabytes of data along with all the affected workstations. With no loss of data!!!
Businesses today must be prepared to recover. Companies of all sizes are falling victim to ransomware. Some of these companies spend millions of dollars on security (Colonial Pipeline). YES, you must have security, both hardware and software measures in place. Additionally, you must have a multilayered backup and recovery plan. You must have network monitoring to alert of issues as soon as they occur. Most importantly you must have these plans documented and tested. The speed of recovery not just the data can and will affect your bottom line. With the LMI Red Dot Recovery solution we work with companies of all sizes to develop customized comprehensive recovery plans and documentation. LMI Red Dot Recovery is not only a high-end backup software, but it also encompasses backup of a system’s software and firmware. This approach to data backup and restore allows a system (server or workstation) to be wiped clean and restored to a point before infection. Backups performed with our method allow for quick recovery time in the event of a disaster. Every customer is unique, choosing a partner who understands this is critical for these times when the “Ransomware Volcano” blows. Contact us today and use PROMO CODE: Ultimate Recovery for a FREE network assessment that will help you understand your current setup and how it could be improved for more protection under the LMI Red Dot Recovery solution.
Derrick Miranda – National Accounts Manager