How one Michigan manufacturer survived a painful cybersecurity attack
It started with team members having issues logging into the system.
“We noticed some servers weren’t responding correctly and we started investigating. It looked like a possible hardware problem,” said a manager at the Michigan-based manufacturing company.
Further investigation on that late-summer day revealed a very big problem: encrypted ransomware files.
“It definitely was not a great feeling,” the manager said. “Our initial reaction was, ‘Are they still in the system, and what systems are compromised, if any?’ We went into instant recovery mode. We knew we needed to protect the data while also needing to preserve as much evidence as possible so our forensic teams could identify how it happened, how they got in. You want to turn everything off, but you can’t.”
This Michigan company is far from alone in experiencing a cybersecurity incident – particularly during these turbulent times. Since the start of 2020, more than 20,000 pandemic-related cybersecurity threats have been reported to the Federal Bureau of Investigation’s Internet Crime Complaint Center.
Just as businesses everywhere have had to reassess and adjust during the pandemic, so have so-called threat actors who are rapidly adapting malware and phishing attacks, finding ways to wreak havoc on companies’ IT environments. Sophisticated hackers are becoming especially clever and are capitalizing not only on greater numbers of remote workers, but also the public’s fears and vulnerabilities during these uncertain times.
Next steps
Following the cybersecurity breach at the Michigan manufacturing company, leaders made two calls – one to their cybersecurity insurance company and another to Rehmann.
“We had someone here on site from Rehmann the next day,” the manager said. “At that point, systems that we had up and running were still running. We were still trying to determine the scope of the breach.”
The company, with Rehmann’s assistance, would discover that while they still had connectivity to the internet and their data center, serious issues remained.
“That next day, after we had made some security changes, someone was still in the system and were able to change things back. That’s when we just shut down everything, so we could better understand and start remediating the issue,” the manager said.
The power of backing up
All told, the time it took to get the company’s critical IT systems back up and running totaled almost three weeks. The good news: the company had backups.
“The good thing was we had backups so we could restore systems,” the manager said. “But to get everything back up – it was a good two to three weeks. It was almost two weeks before we had email back up. Part of this was security. It wasn’t that they weren’t restored and usable – we were using systems internally—but we were severely limiting internet access so we could get systems back up, get additional software involved, and have monitoring up and going.”
In the end, the company also was able to learn how the cybersecurity breach occurred, providing the team with valuable intel to prevent future breaches.
“We’re back up now to 99% and have been for a few weeks now,” the manager said in fall 2020, a couple of months or so after the incident. “It was definitely painful, but we were actually in better shape than a lot of other people because we had backups. [The hackers] weren’t able to get to our backups with the exception of a handful of servers that were on different backup servers. Fortunately, these weren’t critical systems.”
The company didn’t pay the ransom – “we didn’t engage at all with the attacker,” the manager said.
The company also didn’t lose any data: “None of our data was exfiltrated, and that’s a relief.”
Sound cybersecurity advice
Review your backups, advises the manager of this company that experienced the cybersecurity attack.
“And if you can keep a copy of backups off site, that’s preferred. Follow your backup vendors’ best practices on how to set them up so they’re isolated from your production environment. And test your backups.”
He also recommends following best practices from a security standpoint: use complex passwords, have your users change passwords on a regular basis – especially administrative accounts since they get overlooked sometimes.