Ransomware Resolution: How One Business Recovered

October is Cybersecurity Awareness Month when government agencies and private industry works together to raise awareness about the importance of digital security. While news headlines focus on the impact of cybercrime against governments and large corporations, ransomware has become the No. 1 cyber threat to small businesses. Ransomware is a type of malicious software that encrypts a business’s data so it cannot be viewed or utilized until a ransom payment is made. The following story is an account of how one business fell victim to a ransomware attack and how its retail technology provider – Paladin Data Corporation – helped it recover.

Before business hours on an early Monday morning, the owner of seven retail hardware stores logged on to his business network from his home computer, as was his normal routine.  However, this morning was different; he noticed that someone other than himself had also logged on to the network as an administrator. A short time later his home printer, seemingly possessed, spit out several sheets of paper with a note informing him that his computers had been infected with ransomware.

You can only imagine how I felt reading this. I immediately shut down and disconnected each of my computers and the home network.
Store owner

A little later that same morning, one of the store managers arrived at work and turned on his computer to find an error message saying that it could not access the operating files. After a series of phone calls, both the store owner and the manager came to learn that 100 terminals across their seven stores were affected by ransomware.

The hardware company owner says he believes that whoever struck his business counted on having the weekend to activate the ransomware and get out before being detected. It was his habit of working early mornings that allowed him to spot the activity and get a jump on damage control.

The Response

It’s important to note that the store owner is technologically savvy and his stores have a dedicated IT manager and a variety of security protocols.

After discovering their business network had been compromised, the business owner informed his information technology lead, their IT provider, and Paladin Data Corporation – their point-of-sale solution provider. Working with store management and the IT provider, Paladin went to work to alleviate the threat and get the stores running again.

Paladin initiated the following approach to stop the spread and rebuild the network.

1) Stop the spread.

“First, you isolate all the hardware from getting infected and prevent further spread,” said Paladin COO Ryan Dunn. “We had them unplug every PC from their network.”

2) Establish communication.

Make sure communication is clear. “We established clear communications with the business owner, store managers, supervisors, IT people – whomever we were dealing with during this event,” Dunn added.

3) Check the integrity of the computers.

“Once the spread of the ransomware was stopped, once you’re in a controlled situation, then you do damage assessments,” he explained.

4) Get the stores open and running.

“Once we determined that all the computers in the network were infected, we developed a plan to get the stores up and running again,” Dunn said.

The Findings

In their inspection of the business network and database, Paladin’s Managed Services technicians found computers on the network had been affected with BlackByte ransomware. It is suspected that the ransomware entered the stores’ business network through Exchange Server, Microsoft’s corporate email server used mostly by businesses that wish to host their own email.

According to Trend Micro, BlackByte first drew the attention of the FBI and the U.S. Secret Service in July 2021. Since then it has been used extensively to attack government agencies and facilities, financial organizations, and food and agricultural businesses.

As ransomware as a service (RaaS), BlackByte has been used relatively little against retail businesses – a little over 1% of the recorded attacks included retail.

Rebuilding the Retail Point of Sale

Following the attack, Paladin had all the stores operable within hours. Within days the Paladin technicians and the stores’ employees had all the Paladin-configured PCs running at full strength.

With a wipe of the hard drive and a fresh install of Windows and Paladin POS, we were able to get going without any of the ransomware. We really didn’t lose any data.
Store owner

Paladin was able to get the stores’ retail point of sale up and running because the store owner had:

  • Paladin Managed Services – The retail hardware company protected itself with Trend Micro antivirus and Paladin’s Defense Pack, which automatically backs up files on all its computers. The company’s DataWise™ service automatically backs up point-of-sale data throughout the day while SystemWise™ backs up all the data on a computer nightly.
  • Paladin-configured computers – The store owner purchased most of its point-of-sale PCs from Paladin. These computers were configured with Paladin Point of Sale, which made cleaning them out and reconfiguring them a relatively straightforward process. Flash drives of a clean operating system were sent overnight to the stores and a team of Paladin technicians did much of the work remotely.

Back Open for Business

While Paladin was working on reconfiguring the hardware, the seven store locations opened to customers on a cash-only basis (hand-writing tickets and SKUs), and within hours of the attack the Paladin technicians had them up and running on Paladin Point of Sale. Each of the stores had the ability to serve customers and process payment cards.

Paladin was on the case right away. I could not be happier with the level of attention we received. Both Paladin and [our IT provider] went into all-hands-on-deck mode to get this solved.
Store owner

Looking back

Following the ransomware attack, the retail hardware store owner worked with his insurance company and forensic investigators to find out exactly what happened. After a detailed examination of one of his old PCs, the company discovered that the ransomware was probably installed close to a year before it was activated. It was probably activated by a person or group separate from the one that originally installed it.

He credits Paladin, his IT providers, and some of his employees for limiting the damage.

“The Paladin folks and [our IT providers] worked together quite closely, which was marvelous. The combination of assets between the two companies streamlined the process of getting us going again,” he explained. “Some of the younger people who work for us are good with computers. They offered to step up and help us out, and boy they were helpful. We had these people who were store clerks by day and became IT support when we needed them.

“We are now at the two-month mark. We thought we might lose customer data and employee data. What we found out was that we really lost nothing. We got really lucky,” he added.

Despite the upheaval to his business and life, the owner says he still believes strongly in business technology.

I’m a big believer in technology. This has been a nightmare and it’s been stressful, but a law firm I’m working with told me ‘You came out of this spectacularly. The fact that you were able to come out of this without losing any of your data and without paying any ransom, you’re an example of how to get through this.’

Store owner

Note: This group of hardware stores is a substantial operation, but its locations hardly make it an obvious target for hackers. Location doesn’t matter anymore. Assuming rural areas and small independent businesses aren’t being targeted is a false sense of security.

Click here to learn what you can do to help reduce your chances of being affected by a ransomware attack.