How this Canadian Retailer is fighting back after a disastrous ransomware attack

About the client

It was the nightmare scenario that keeps CIOs up at night. A ransomware attack struck a Canadian retailer with devastating impact. In an instant, employees at over 300 locations were locked out of their systems. 

It took more than three weeks to fully recover. Here’s how they did it, and the steps they took to make sure that a disaster like this can’t happen again. 

 

The Canadian retailer supplies products directly to consumers and to other businesses through its retail locations and its website.   

The company was established, long before the Internet. Now, it employs over 5000 full and part-time employees. It works closely with over 200 suppliers around the world using a real-time inventory management system. 

The retailer isn’t named in this case study for security reasons. 

Challenges

AN ATTACK WITH A SERIOUS CONSEQUENCE

The attack couldn’t have happened at a worse time. It was March 2020, shortly after the pandemic was declared.  At a time when all companies were moving quickly to adapt to the new reality, the retailer’s entire business operations stopped. 

Why was it so bad?  The hackers took down the company’s Active Directory (AD). It’s a common target because it’s used to manage access to network resources.  Once the attackers get into AD, they can get the keys to everything and lock out everyone else. 

It caused havoc. The retailer’s point-of-sale system stopped working.  This meant that customers had to pay cash when people were trying to maintain social distancing. Online sales stalled, just after they had started to increase. Suppliers had no idea how much product to deliver without contacting each store directly. And, since systems were down, they were no longer getting paid promptly. 

The retailer’s existing service provider couldn’t fix it.  As is often the case, the company’s Active Directory had not been properly maintained. It was a challenge to find clean back-ups.  What’s more, Active Directory is extremely complicated and recovery in situations like this is a manual process. The problem was compounded by the fact that the company couldn’t even log on to start the process. It was time to call in the experts.  

Solutions and Benefits

RESTORING BUSINESS OPERATIONS

To get business up and running after a ransomware attack, the first thing that must be restored is Active Directory.  Based on its extensive experience with the technology, Itergy was brought in to do just that.   

Itergy focused solely on recovering AD, walking through a series of precise steps to ensure a safe restoral. In doing so, Itergy’s experts worked closely with the different teams working on the recovery to allow operations to resume as quickly as possible. 

Even with the right team in place, the complex restoration took more than a week. It was another two weeks before the retailer’s applications were fully working at all its locations. 

 

AN OUNCE OF PREVENTION

Once the crisis was over, the retailer turned to Itergy for a solution to prevent this level of damage from occurring again. If they were attacked again, they needed to be able to recover their AD in a matter of hours, not weeks. 

Itergy implemented a strong Active Directory Disaster Recovery solution to guarantee a quick recovery in case of another cyberattack.   

The solution treats AD backups separately from the retailer’s other systems, so that they can’t be accessed from the current environment. This ensures that any ransomware infection present in the operating system is not backed up with AD.   

Itergy uses immutable storage in a highly secure location. This means that once the data is stored, it can’t be modified, moved or deleted.   

In combination with the retailer’s infrastructure, the Itergy solution provides an isolated, off-site recovery environment. With automation, it can quickly spin up the backup from a particular point in time. 

Finally, the solution is proactive. Itergy tests the backup recovery process every three months. These tests are reviewed and verified by the retailer’s management to reassure them that the system is secure. “I can not stress this enough,” said Martin Fitzsimons, the Vice President of Enterprise Services at Itergy. “A comprehensive plan and regular testing are essential to a quick recovery after a ransomware attack.”