“It was all very strange. There was a file I couldn’t open and it had an odd filename extension -.encrypted,” said an employee on an entirely normal Thursday at the large Danish architecture firm Arkitema. The firm had been attacked by ransomware. “It’s going to be a tough weekend!” said the head of IT.
Arkitema is a successful architectural firm with 500 employees and offices in Denmark, Norway and Sweden. Being attacked by ransomware wasn’t part of the plan. And it happened twice. “The first time wasn’t that serious – but the second time was awful,” says Michael Morgen, CIO at Arkitema.
That Thursday when the employee called the IT department was the kickoff to the second incident, which turned out to be a costly one for the firm.
Employees went home
“We have extremely large amounts of data, so it took a long time to get an overview about what had been destroyed. Then we figured out that we could pretty much restore everything. Most of the staff went home – because they couldn’t really do any work. Within a couple of hours the office was empty.” On the other hand, Michael and his IT department didn’t get home for more than 48 hours.
An expensive incident
Fortunately, Arkitema could indeed restore its data, because it had a good back-up service. But it took awhile to get everybody working again. “We lost three to four hours of production, and the way it turned out, our team couldn’t really get started working again before the next day. It was almost a week before we were really working 100% again,” says Michael.
All in all, he estimated that the downtime cost the company DK 1 million in lost working hours.
Well-protected – but not well enough
But how did ransomware even get into Arkitema’s system? The firm had a firewall, anti-virus protection and spamfighters.
“The problem is, it can be very hard to protect yourself against ransomware. But we found out afterwards that there actually were some more things we could be doing to protect ourselves in the future,” Michaels says.
Made an investment in IT protection starting Monday morning
On the Monday morning after the incident, the team was ready to take action. “We decided to invest in iboss,” the CIO said.
iboss Firesphere is a solution that gives companies an extra layer of security by keeping an eye on traffic on all 65535 network ports – in both directions and for both TCP and UDP. In addition to malware scanning and sandboxing, iboss Firesphere reacts to risky traffic by delivering warnings or isolating machines.
Arkitema has also activated more functions in its Sophos firewall – such as web filtering, antivirus, antispam, antispyware – and has two Sophos boxes ready, so one takes over if the other has downtime. All in all, the company now uses three different virus scanners between the internet and the workplace.
Focus on employee behavior
Another important ‘keep it clean’ parameter is user behavior.
“I’ve spent a lot of time changing user mindsets. I tell people: If it looks weird, it is weird. And don’t ever click on a link in an email, and so on,” the CIO says.
How are things going now that the new measures have been put in place?
“I get a report from iboss so I can see what it’s stopping. And it’s all sorts of strange stuff. Since we got iboss we haven’t had any ransomware problems. It looks like iboss is doing a great job keeping junk out of our systems,” says Michael Morgen.