Case Study: The Path to Greater Security Leads to the Cloud

What can be learned from REvil's ransomware attacks

A Covert Operation?

On November 7, 2020, the managing director of a medium-sized Bremen company, active in the buying and selling of merchandise in Germany and France, noticed some irregularities in the company’s internal network. Most of the server data was subject to impenetrable encryption. Overnight, a group of hackers known in IT circles under the name REvil launched this ransomware attack, which paralyzed many of the company’s processes for several weeks. The hackers encrypted about 90 percent of the data and demanded a high monetary ransom of around 300,000 euros for the release of the master key, which enables the release of all files – a frightening scenario that affects many other small and medium-sized enterprises (SMEs) in Germany and worldwide. In recent years, there has been an increasingly worrying rise in cybercrime. While the number of cases in Germany in 2016 was still around 82,000, the Federal Criminal Police Office recorded over 108,000 attacks for the year 2020.

A Covert Operation?

Even though this attack seemingly came out of nowhere – as could be traced back afterwards – between one and two o’clock at night, it was not a spontaneous action by the cybercriminals. Rather, the managing director suspects that they were able to infiltrate the system several weeks earlier. After all, the attack also affected an employee who had been working from home for a month, from the company with offices in Bremen, Hamburg, and France, who simultaneously noticed the encryption of his data on his work laptop and could not access any important files. Thus, the attack had wider implications than initially assumed and affected virtually every employee. Only by entering a six-digit hexadecimal code could this problem be solved without losing important data in the course of the attack. For several weeks, the employees had to continue working with major restrictions, which was managed as best as possible since essential processes could also be carried out manually and thus could largely continue. To keep the economic damage as low as possible, those responsible had to act as quickly as possible – easier said than done in the face of the acute pressure situation.

Good guy, bad guy

But what to do when the worst case scenario has occurred? Many IT outsiders and those inexperienced in this field have probably asked themselves this question several times after increased reports of emerging cybercrime. Unlike in many movies, where the extortionists demand the ransom in a threatening tone with distorted voices, such a deal in reality is far less spectacular. In this attack case by the REvil group, a countdown only started after attempting to access the desired file, which was limited to five days and contained a demand for payment, which for the affected company totaled 300,000 US dollars. Sums that represent an insurmountable burden for SMEs. After receiving the demand, those responsible could enter into chat communication with the criminals and negotiate the ransom. It became clear that in the tough negotiations lasting several days, they were dealing with multiple perpetrators on the other side. On one hand, an unyielding, tough negotiator, and on the other hand, a communicative, friendly person with whom a compromise could be reached. They finally reached an agreement in the negotiations for a much lower sum. Since no alternative solution presented itself to recover the valuable data collection of over 20 years of successful entrepreneurship, the management paid the amount with the untraceable cryptocurrency Monero.

Control beats trust

Nach dem Zero-Trust-Prinzip hinterfragte die Führungsetage anschließend jegliche Strukturen und Prozesse, um Sicherheitslücken des Netzwerks möglichst präzise ermitteln zu können. Zur Unterstützung engagierte der Geschäftsführer eine nahe gelegene Bremer IT- Sicherheitsfirma, welche die Situation mit ihrer langjährigen Erfahrung und angesammeltem Know-how in diesem Bereich einschätzen sollte. Dem Rat der Sicherheitsexperten zum totalen Austausch der gesamten Hardware konnte die Geschäftsführung keine Folge leisten, da es die wirtschaftlichen Rahmenbedingungen nicht zuließen. Vonseiten der zuständigen Versicherung kam ebenfalls kein positives Signal zur finanziellen Unterstützung, woraufhin sich das Unternehmen dazu entschied, eine neue IT-Infrastruktur aufzubauen. Auf einer vertrauensvollen Basis engagierte der Betrieb schließlich den Rechenzentrums-Dienstleister firstcolo, der hauseigene Datacenters betreibt und für unterschiedliche Kunden Colocation-, sowie Managed Services-Dienstleistungen zur Verfügung stellt. Mitte Dezember 2020 kam es zur ersten Kontaktaufnahme zwischen beiden Parteien. In der weiteren Zusammenarbeit verlagerte der Betrieb seine Datensätze auf das externe Datacenter von firstcolo und verwaltet sie heute aus der Cloud heraus.

Rise to the Cloud

Gerade für mittlere und kleine Unternehmen bietet die Auslagerung von Servern und Daten vielerlei Vorteile. Aus Gründen der Sicherheit ergibt ein Wechsel von der standortbezogenen internen Datenspeicherung zu externen Rechenzentren absolut Sinn, da Dienstleister wie firstcolo die oftmals angemieteten Server rund um die Uhr kontrollieren und somit für eine Rundumüberwachung der Systeme sorgen kann. Verwaltungsaufgaben und Wartungsarbeiten fallen damit nicht mehr in den eigenen Aufgabenbereich, was im Umkehrschluss effektivere Prozesse und finanzielle Einsparungen bewirkt. Denn Hardware, die bei intensiv genutzten Servern gut alle drei bis fünf Jahre ausgetauscht werden muss, stellt für das mietende Unternehmen keinen Kostenfaktor mehr dar. Gerade durch die Corona- Pandemie nehmen flexible Arbeitsmodelle eine immer größere Rolle ein. Egal ob in einem der an verschiedenen Standorten niedergelassenen Büros oder im Homeoffice, die Cloud- Anwendung lässt sich von jedem Standort aus flexibel nutzen. Zudem greifen Angestellte vor allem sicher auf Informationen zu oder nehmen Änderungen am System vor.

Ignorance is No Excuse

To avoid a future cyber attack as much as possible, the company took additional measures besides establishing the new IT structure, primarily to sensitize employees – the core users of the system. Usually, cybercriminals, as presumably in this case, gain access to an existing system through a single user. The responsible parties addressed this point immediately after the attack to minimize one of the biggest entry points in an otherwise secure network to minimize. For this purpose, they designed a security training for their employees, that can be completed independently via a specially developed security platform. It contains comprehensive training materials and a final test, after which each user receives a certificate upon successful completion. A major topic remains often underestimated phishing emails, which still lead many users to fall for criminals’ traps through pretexts, thus exposing the ongoing operation to great risk. Through the security training coupled with data storage in the cloud by firstcolo, an IT infrastructure emerges that offers cybercriminals almost no access opportunities in the future. Further attacks can thus be proactively prevented, resulting in risk-free operation of business-critical IT.

Jerome Evans

Jerome Evans has been working in the IT industry for over 15 years and founded the company firstcolo GmbH. He is responsible for the construction and operation of data centers and increasingly also for cloud-based server infrastructures.

Opt for sustainable colocation that saves!

Do you want to reduce IT costs and increase the economic efficiency of your company? We are happy to advise you.