Every minute it is confirmed in all corners of the world that the most vulnerable security link in the IT sphere is the human being. Security risks in the online space can only be minimised, not eliminated. With the advanced technology we almost all work with, all it takes is a second’s inattention or a click on a suspicious link and the problem is gone. The manufacturing company Remeslo strojal, s.r.o., which cost one such click 130 thousand Euros, knows this.
And we’re talking about a story with a happier ending. All the data was saved for the future thanks to the fortitude of the company’s managers and the quick intervention of third-party experts.
But let’s go back to March 2022 and the events step by step.
Ransomware in action
Remeslo strojal, s.r.o. is a part of the Remeslo holding and exports its engineering products to 17 countries worldwide. The attack was recorded early in the morning.
“A colleague told me he couldn’t open a file on a network drive. It had the extension .xlsx.kqgs,” begins the story of IT technician Richard Ševčík. The .kqgs didn’t fit, so he removed it. However, the file didn’t have the correct contents, and the same extension was in every directory on the network drive. “I was beginning to suspect that something was wrong. A message came from the economic department – We can’t open the accounting database, and other departments started reporting problems. These were not easy moments. We are encrypted,” he reported the obvious fact to the holding company management and took action.
He immediately dropped all the servers and switches in the company to cut off network communication over the Internet with the world. He contacted the company that handled the firewall, the Internet, the e-mails. The company recommended specialists from Bratislava, who had experience with similar situations, to solve the acute problem. It was clear that this was a ransomware attack: a file with decryption instructions was attached in the directory. The question of whether to pay the attacker was clearly on the table.
“In these cases, you always have only two options. Pay the attacker a ransom and wait to see if he actually sends the promised decryption key, or rely on restoring the data from backups. We paid,” admits Richard Ševčík. Adding that the amount, fortunately, was not liquidating, and the attacker actually sent a working decryptor, which decrypted the necessary data.
Solutions after decryption
The company subsequently purchased 5 computers for the IT staff to rebuild a “clean” local area network on. They uploaded data from backups that had not been compromised. The data from the recovered decrypted data, including economic data, was run through antivirus programs: “It was really a highly demanding, meticulous job.”
It was also fortunate that the attacker did not get further than the network directories, that the backups were in good condition, and that the production program Remeslo strojal, s.r.o., was working.
At the same time on all the compromised computers, they turned on switches and investigated the activity on the network. They set up a makeshift workstation for their colleagues, a conference room with five computers, with accountants and production staff taking turns on them for the time being. After determining that the production server had not been hacked, they connected the 3 computers already on the production server.
“We set up a crisis team, with regular daily meetings between management and production and economists to decide on next steps: how to ensure communication via emails, how to meet obligations and deliver economic data to the state, how to quickly apply for VAT deferrals, and so on. It was a lot,” confirms Richard Ševčík, who is grateful for the absolute commitment of all his colleagues.
Towards the future
Richard Ševčík also admits that fortunately they have not heard more about the striker. “Of course, we reported the case to the police and they have started a criminal prosecution against the unknown perpetrator. However, from the experience of other companies or individuals who have been attacked, we do not expect the ‘ransom’ to be returned. We are going further and more cautiously.”
After the first difficult week, the attacked company from Žiar nad Hronom approached experts from the Banská Bystrica company GAMO, a. s., which dealt with a similar case nearby, in Kremnica. It was a complex design of a recovery system for a company affected by a ransomware attack, including the delivery of a solution.
Remeslo strojal, s.r.o. needed to provide a LAN infrastructure with a secure connection to and from the Internet, a server infrastructure and a unified desktop environment for work. In the presence of their management and invited guests, GAMO and its team then developed a phased recovery plan. They left the alternative of whether to deploy the solution in the cloud or build servers in-house to the decision of the company under attack.
“I had a lot of phone calls and e-mail communication with accounting and payroll software suppliers, the supplier of the production program and GAMO specialists to choose the most suitable and secure solution for us,” explains the IT technician. “The result was to stay with the data on the on-premise infrastructure, i.e. on our servers.”
Third Party Solutions
Remeslo strojal, s.r.o., retrospectively assesses the state of security before the attack and today as follows: “We had anti-virus software installed on individual computers, we had a firewall and backups secured. However, we only had the network on Workgroup, without a domain server, which is certainly not enough for today.”
The solution from GAMO a. s. was designed to meet the highest standards of data security and protection. Richard Ševčík: “The designs were correct and at a high technical and professional level. We decided to work together for a secure and financially viable solution.”
Let’s break it down by recapping it down to the nitty gritty.
What were the reasons for the renewal of the infrastructure?
- Replacement and consolidation of obsolete hardware equipment;
- Moving to a virtualization platform that will simplify operations and allow systems to be further developed in the future;
- Devices with active manufacturer support – guaranteed warranty, i.e. in case of equipment failure, its replacement with a new device will be realized in a short time;
- Increase overall security when working with company data.
The task of the specialists was to create a hardware background that would enable the long-term and stable use of the information system. A solution that the company can develop further over time, will be easy to manage, and will increase the resilience of the systems.
Finals in practice
GAMO gradually delivered new servers, computers and laptops, and clean and checked data started to be uploaded to them. In the meantime, data from the old computers was downloaded to USB keys and sent for antivirus checking to Banská Bystrica, the headquarters of GAMO, a. s. The attacked company purchased a new domain remeslostrojal.sk and data was uploaded to it, including direct upload to applications in the cloud environment. The folders of individual employees from the checked USB keys were saved on Microsoft 365 and all 62 newly purchased computers were gradually connected to the network. At the same time, work was being done to divide the network into individual segments and to set up new rules. Staff training was conducted and strict restrictions, policies, and rules for appropriate user behaviour on the Internet were put in place.
“We purchased equipment where backups were uploaded from the old servers. It was a large amount of data that was checked for a few days before being stored on the device. There was almost a 6 month wait for new switches, due to the lack of dedicated chips on the market. It was only after about 7 months that we got back to normal and started all the programs, the expenses so far have amounted to 130 thousand Euros,” recaps the six-month journey of the IT technician.
A journey triggered by one unfortunate click on an encrypted file.
Good news in conclusion
The situation caused by the cyber attack forced Remeslo strojal, s.r.o. to forget about the gradual digital transformation and take a big leap. From the level of 10 years ago, they fully stepped into the environment of a modern digital office and started working with Microsoft 365 systems and applications at all levels. These enable seamless collaboration, easy communication and, most importantly, provide world-class protection for identities and devices. Thanks to EDR technology, today they have a detailed view of threats in the system, detecting unusual behaviour and security breaches in this successful manufacturing company.
Unfolding the steps of the company Craft from the attack
- Creation of a crisis team for management contact with production and economists.
- Dealing with data recovery through experts who have experience with attackers and data recovery and setting up a temporary workstation working in makeshift conditions on about 5 computers, then 10 computers after that.
- Reaching out to a company to supply new hardware or reinstall compromised PCs and build a new network infrastructure based on security.
- Gradual deployment of new PCs for production, economy, business.
- Creating new rules on the network.
- Uploading printers, clean data from old computers to new ones, deploying programs needed for individual users to work.
