Ransomware in Real Life: One SMB’s Ransomware Recovery Story

Lighthouse Productions is an events production business based in Wisconsin. Despite being a small business with no major digital assets, the company recently suffered a serious ransomware attack that posed a crippling threat to its operations.

The experience highlights how modern ransomware threats impact all businesses, not just those with troves of private customer data or large amounts of cash to lure attackers.

Fortunately, this story ends happily. Using data backups, Lighthouse Productions was able to recover most its data without paying a ransom. It achieved this outcome despite not having any full-time IT staff.

Here’s how the story played out, as explained by one of the owners, Neil Roehrborn.

Please introduce yourself and the company you work for.

My name is Neil Roehrborn. I am one of the owners of Lighthouse Productions, a sound and lighting production company based in Green Bay, Wisconsin. We provide sound, lighting, stages and video systems for corporate events, fairs, festivals and more.

We are not a large company. We have around 20 employees. We don’t have even one full-time tech person. Instead, we manage our computer system by ourselves, for better or worse.

How did you realize your computers were infected with ransomware?

We realized we had a problem around 1:30 in the afternoon, when we started having some of our computer systems drop offline. We started looking at our data share folders and discovered that the files in the folders had been renamed with a “.Aes” extension.

We tried simply renaming them to remove the extension, but the files had been encrypted and would not open.

Do you know which ransomware caused the problem?

I don’t know specifically which virus it was, but there was a text file in every folder with an email address that we could contact to get our data back. Fortunately, we never had to reach out to the email address because we had data backups through CloudBerry.

CloudBerry Labs logo

At which stage did CloudBerry’s Ransomware Protection step in?

When we discovered the issue, we immediately terminated all backup processes to prevent a further spread of the infection. CloudBerry’s Ransomware Protection feature allowed us to keep our data backups safe and achieve an almost complete recovery, without paying a ransom.

How many files were affected by the ransomware attack?

All of them. There were over 250 gigabytes of affected data, including our QuickBooks file, all of our digital office data, project drawings—quite literally every file that was accessible to all of our users was encrypted by the ransomware.

How did you recover your data?

We eventually ended up shutting down the entire network, then bringing each terminal up one at a time and isolated from the network. As each terminal came up we scanned it with a variety of antivirus tools. We found suspicious files on at least four terminals, which were probably the source of the ransomware attack.

Once we were fairly certain that we had the ransomware virus under control, we deleted all of the encrypted files, then used CloudBerry Restore to restore our data to production systems.

All said, we only lost a small amount of data. Specifically, we lost a few changes that had been made the morning we discovered the infection.

One interesting thing we found was that we had our local backup mapped as a drive on our server and it didn’t require separate credentials to access the backup drive. The virus was able to find those files and encrypt them as well.

Now that you’ve faced and successfully recovered from a ransomware attack, what would you advise others to do to protect themselves?

Simple: Backup in multiple locations and do it every single day. If CloudBerry had not been doing a good job of backing up our data we might have gone out of business because of this ransomware attack.

This is a Security Bloggers Network syndicated blog post authored by Doug Hazelman. Read the original post at: Security – TechSpective