What Can Be Learned from REvil’s Ransomware Attacks
On November 7, 2020, the managing director of a medium-sized company in Bremen noticed irregularities in the internal network. The company is active in the purchase and sale of merchandising articles and operates in Germany and France. A large part of the server data was suddenly inaccessible due to strong encryption.
Overnight, the hacker group REvil, known in IT circles, launched a ransomware attack. This paralyzed numerous business processes for several weeks. Approximately 90 percent of the data was encrypted. The attackers demanded a high sum of about 300,000 euros for the release of the master key.
This scenario is frightening, yet it affects many small and medium-sized enterprises worldwide. In recent years, cybercrime has increased significantly. While there were still around 82,000 cases in Germany in 2016, the Federal Criminal Police Office registered over 108,000 attacks in 2020.
Even though the attack seemingly occurred out of nowhere, it was not a spontaneous action. The attack could later be traced back to the period between one and two o’clock in the morning. However, the managing director suspected that the perpetrators had already infiltrated the system weeks earlier.
The attack also affected an employee who had been working from home for about a month. At the same time, he discovered on his company laptop that all data was encrypted. Access to important files was no longer possible. Thus, the attack spread wider than initially assumed and affected almost all employees.
Only by entering a six-digit hexadecimal code could the data be restored. No important information was lost in the process. Nevertheless, employees had to work with severe restrictions for several weeks. Essential processes could, however, be partially continued manually. To minimize economic damage, quick action was required. Under high time and decision pressure, this proved to be a major challenge.
What to do if the worst-case scenario occurs? Many IT-unfamiliar or inexperienced companies ask themselves this question. Unlike in movies, such extortions are usually unspectacular in reality. In this case, too, the actual process only began when accessing an encrypted file.
A five-day countdown started, displaying the demanded ransom amount. This totaled 300,000 US dollars. Such a sum is hardly manageable for a medium-sized company. Upon receiving the demand, the responsible parties entered into chat communication with the perpetrators and began negotiations.
It became clear that several actors were involved. On one side was a tough and unyielding negotiating partner. On the other side, a communicative and compromising person was active. After several days, an agreement on a significantly lower sum was finally reached. Since there was no alternative way to restore the company data collected over 20 years, the management paid the ransom in the untraceable cryptocurrency Monero.
Subsequently, the management reviewed all structures and processes according to the zero-trust principle. The goal was to identify existing security gaps as precisely as possible. To assist, an IT security firm from Bremen with extensive experience in this area was commissioned.
The company could not follow the recommendation to replace all hardware for economic reasons. There was also no financial support from the insurance company. Therefore, the company decided to build a new IT infrastructure.
In this context, the company engaged the data center service provider firstcolo. firstcolo operates its own data centers and offers colocation and managed services. Initial contact was made in mid-December 2020. Subsequently, the company relocated its datasets to the external data center and now manages them entirely from the cloud.
Especially for small and medium-sized enterprises, outsourcing servers and data offers numerous advantages. For security reasons, switching from local data storage to external data centers makes sense. Providers like firstcolo monitor the servers around the clock, ensuring seamless control.
In addition, internal administrative and maintenance tasks are eliminated. This makes processes more efficient and saves costs. The regular replacement of hardware, which is necessary every three to five years for intensively used servers, is completely eliminated for the company.
Last but not least, flexible working models are becoming increasingly important. Whether in the office or home office, cloud applications can be used regardless of location. Employees securely access data and can make system changes at any time.
To prevent future cyberattacks, the company implemented further measures. A particular focus was on raising awareness among employees as the main users of the system. Attackers often gain access to networks through individual users.
This is precisely where the responsible parties started. They developed a security training that can be completed via a dedicated platform. This includes training materials and a final test. After successful participation, employees receive a certificate.
Phishing emails remain a central issue that many users still underestimate. Through targeted training and secure data storage in the cloud, an IT infrastructure with a significantly reduced attack surface was created. This allows future attacks to be proactively avoided and business-critical IT operations to be secured long-term.
