CASE STUDY

Ransomware Attack on Illinois School District

An Illinois School District recently had a ransomware attack hit their system. They immediately shut down all their servers and contacted HBS for assistance. They had no current backups because of a DC migration and was in threat of losing its data.

Solution

HBS earlier had configured Snapshots of all volumes to be taken regularly with Nimble. We took the following steps to get the servers back online:

Took one of the infected VM’s and brought it online without its network attached.
Reviewed the log file and found the time of infection as well as the file that carried the infection.
Translated the SID of the user and found it was a “Global Admin,” account that supposedly many people including some teachers used and knew the password to.
Changed the password of the corrupted account.
Made a clone of one of its snapshots, a snapshot that reported a size of only 5GB. When cloned that 5GB Snapshot was fully restored to a 5TB volume containing full copies of the needed virtual servers. (Process took about 30 seconds.)
Since this was a Hyper-V environment things are a little trickier. When working with Clustered CSV volumes you cannot link a cloned volume to any of the current members of the cluster as the cluster thinks it’s the exact same drive as the one you have currently attached. To get around this problem we ejected one node from the cluster, linked the restored cloned Nimble volume and copied our data back into the main Hyper-V Cluster from there.

Impact

After a short amount of time they had all of their servers functional again thanks to Nimble and HBS. Additional steps were taken to help prevent attacks in the future as well. This is one example of how HBS’s expertise can help protect your servers from ransomware attacks.

Solution Components

Restoring Servers

Technologies

Nimble
Hyper-V

Share

Copy Link